Information transfer system, encryption device, and decryption device

ABSTRACT

To provide a content delivery system which enables a ciphertext to be reduced in size when using the ElGamal cipher. A content delivery device performs elliptic curve encryption on a content key, generates an encrypted content key that includes an x coordinate of an elliptic curve point obtained by the elliptic curve encryption, and outputs the encrypted content key. A content reception device receives the encrypted content key, and calculates a y coordinate of the elliptic curve point using the x coordinate included in the encrypted content key. The content reception device then performs elliptic curve decryption using the elliptic curve point and other information included in the encrypted content key, to generate a decrypted content key.

TECHNICAL FIELD

The present invention relates to secret information transfer techniquesthat use cryptography for information security.

BACKGROUND ART

In recent years, cryptography is employed in a variety of fields, toconduct communication securely without the communicated content beingrevealed to third parties.

For example, when delivering a storage medium, e.g. a DVD, on whichcontent such as music or movies is recorded or transmitting the contentvia a network to many users, the content is encrypted so as to preventunauthorized use.

There are mainly two types of cryptography: secret key cryptography andpublic key cryptography. In secret key cryptography, the same key isused for encryption and decryption. Therefore, it is necessary for asender (that performs encryption) and a receiver (that performsdecryption) to share the key beforehand. In public key cryptography,meanwhile, different keys are used for encryption and decryption, withthe decryption key being kept secret and the encryption key being madepublic.

DES (Data Encryption Standard) is one type of secret key cryptography.DES is a block cipher that uses a plaintext, a ciphertext, and a keywhich are each 64 bits long. In DES, a plaintext block is firstsubjected to an initial permutation which changes the order of bits insuch away that adjacent bits are separated by approximately 32 bits. Thepermuted block is then subjected to 16 identical stages of conversion.

Elliptic curve ElGamal is one type of public key cryptography. Ellipticcurve ElGamal is constructed by applying a multiplication operation ofan ElGamal cipher on a finite field to an addition operation on anelliptic curve.

Elliptic curve ElGamal is the following.

A receiver (that performs decryption) holds secret key ks of ellipticcurve ElGamal, in secrecy.

A sender (that performs encryption) holds public key KP corresponding tosecret key ks:KP=ks*G

where G is a base point on an elliptic curve in elliptic curve ElGamal,and ks*G is a point on the elliptic curve obtained by adding G to itself(ks−1) times.

This being so, the sender generates ciphertext EKC from plaintext KC inthe following manner.

(Step 1) Generate random number k, and calculate PC=k*G.

(Step 2) Calculate k*KP.

(Step 3) Convert plaintext KC to point P_KC=f(KC) on the elliptic curve.Conversion function f used here is explained later.

(Step 4) Calculate C=P_KC+k*KP.

(Step 5) Send PC and C as ciphertext EKC.

The receiver generates decrypted text KC′ from ciphertext EKC in thefollowing manner.

(Step 1) Calculate ks*PC, using PC included in ciphertext EKC.

(Step 2) Calculate P_KC′=C−ks*PC, and convert P_KC′ to an integer tothereby obtain decrypted text KC′=f⁻¹(P_KC′). Here, f⁻¹ is an inverse ofconversion function f. Decrypted text KC′ is expected to be equal toplaintext KC, for the following reason.

Sinceks*PC=ks*k*G=k*KP

holds true, $\begin{matrix}{{P\_ KC}^{\prime} = {C - {k\quad s*P\quad C}}} \\{= {{P\_ KC} + {k*K\quad P} - {k\quad s*P\quad C}}} \\{= {{P\_ K}\quad C}}\end{matrix}$

Thus, point P_KC′ is equal to point P_KC. Accordingly, KC′ is equal toKC.

Conversion function f converts an integer having a smaller bit size thana field of definition of the elliptic curve, to a corresponding point onthe elliptic curve. Inverse conversion function f⁻¹, meanwhile, convertsa point on the elliptic curve to a corresponding integer having asmaller bit size than the field of definition. Conversion function f isan injection. Any function can be used so long as f⁻¹(f(v))=v where v isan integer. Conversion functions are described in detail in Neal KoblitzA Course in Number Theory and Cryptography, Springer-Verlag, 1987, pp.162-163.

The following examines the data size of the ciphertext in the aboveelliptic curve ElGamal cipher.

For simplicity's sake, let the field of definition of the elliptic curvebe 160 bits which is a currently recommended parameter in elliptic curvecryptography.

Ciphertext EKC is composed of points C and PC. Points C and PC are eachmade up of x and y coordinates. Accordingly, points C and PC are each320 bits long. Therefore, ciphertext EKC is 320+320=640 bits (=80bytes).

While DES generates a ciphertext which is equal in size to a plaintext,elliptic curve ElGamal generates a ciphertext which is four times aslarge as a plaintext.

Thus, when compared with other ciphers such as DES, elliptic curveElGamal achieves a higher level of security but has the problem that theciphertext length is larger when the key length is equal.

Note that the conventional techniques are described in: T. Okamoto & H.Yamamoto Modern Encryption, Sangyo Tosho, 1997; Henri Cohen A Course inComputational Algebraic Number Theory (Graduate Texts in Mathematics,Vol 138), Springer-Verlag, 1993, pp. 31-33; Michael Rosing ImplementingElliptic Curve Cryptography, Manning, 1998, pp. 180-181; Neal Koblitz ACourse in Number Theory and Cryptography, Springer-Verlag, 1987, pp.162-163; and U.S. Pat. No. 6,199,086.

DISCLOSURE OF THE INVENTION

The present invention aims to provide an information transfer system, anencryption device, a decryption device, an encryption method, adecryption method, and a computer-readable program which enable aciphertext to be reduced in length when elliptic curve cryptography isused.

The stated aim can be achieved by an information transfer system fortransferring information in secrecy using an elliptic curve discretelogarithm problem as a basis for security, the information transfersystem including an encryption device and a decryption device, theencryption device including: a storage unit storing a plaintext; anencryption unit operable to perform elliptic curve encryption on theplaintext, and generate a ciphertext that includes an x coordinate of anencryption point on an elliptic curve, the encryption point beinggenerated by the elliptic curve encryption; and an output unit operableto output the ciphertext, and the decryption device including: anacquisition unit operable to acquire the ciphertext; and a decryptionunit operable to calculate a y coordinate of the encryption point on theelliptic curve using the x coordinate included in the acquiredciphertext, and perform elliptic curve decryption using the encryptionpoint and other information included in the acquired ciphertext togenerate a decrypted text.

According to this construction, the encryption device outputs ciphertextwhich includes an x coordinate of an elliptic curve point but does notinclude a y coordinate of the elliptic curve point. The decryptiondevice calculates the y coordinate of the elliptic curve point from thex coordinate included in the received ciphertext, and performsdecryption using the calculated elliptic curve point. In this way, thedata size of the transferred ciphertext can be reduced.

Here, the plaintext stored in the storage unit in the encryption devicemay be a scalar, wherein the encryption unit includes: a random numbergeneration unit operable to generate a random number which is a scalar;a first calculation unit operable to multiply a base point on theelliptic curve by the random number; a second calculation unit operableto multiply a public key point on the elliptic curve by the randomnumber; a conversion unit operable to apply a conversion function forconverting a scalar to a corresponding point on the elliptic curve, tothe plaintext to generate a plaintext point on the elliptic curve; athird calculation unit operable to calculate a sum point, using additionof the plaintext point and the multiplied public key point; and ageneration unit operable to generate the ciphertext that includes thesum point and an x coordinate of the multiplied base point which is theencryption point.

Here, the third calculation unit may judge whether a predeterminedcondition is satisfied, and set, as the sum point, a sum of theplaintext point and the multiplied public key point if the judgment isaffirmative, and a corresponding negative point of the sum of theplaintext point and the multiplied public key point if the judgment isnegative.

Here, the elliptic curve may be defined over a finite field GF(p) by anequationy ² =x ³ +a×x+b

where p is a prime, wherein the third calculation unit judges, as thepredetermined condition, whether a y coordinate of the multiplied basepoint is smaller than (p−1)/2.

Here, the acquisition unit in the decryption device may acquire theciphertext from the above encryption device, wherein the decryption unitincludes: a square root calculation unit operable to substitute the xcoordinate included in the acquired ciphertext into the equationy²=x³+a×x+b to find two solutions y, select one of the two solutions ythat is smaller than (p−1)/2, and generate a first decryption pointwhich is made up of the x coordinate included in the acquired ciphertextand the selected solution y as a y coordinate; a scalar multiplicationunit operable to multiply the first decryption point by a secret keywhich is a scalar to generate a second decryption point, the public keypoint having been generated by multiplying the base point on theelliptic curve by the secret key; and a decrypted text calculation unitoperable to subtract the second decryption point from the sum pointincluded in the acquired ciphertext, and apply an inverse conversionfunction for converting a point on the elliptic curve to a correspondingscalar, to a point obtained as a result of the subtraction to generatethe decrypted text.

According to these constructions, the present invention can be appliedto an elliptic curve on GF(p).

Here, the plaintext stored in the storage unit in the encryption devicemay be a scalar, wherein the encryption unit includes: a random numbergeneration unit operable to generate a random number which is a scalar;a first calculation unit operable to multiply a base point on theelliptic curve by the random number; a second calculation unit operableto multiply a public key point on the elliptic curve by the randomnumber; a conversion unit operable to apply a conversion function forconverting a scalar to a corresponding point on the elliptic curve, tothe plaintext to generate a plaintext point on the elliptic curve; athird calculation unit operable to calculate a sum point, using additionof the plaintext point and the multiplied public key point; and ageneration unit operable to generate the ciphertext that includes thesum point and an x coordinate of the multiplied base point which is theencryption point.

Here, the third calculation unit may judge whether a predeterminedcondition is satisfied, and set, as the sum point, a sum of theplaintext point and the multiplied public key point if the judgment isaffirmative, and a corresponding negative point of the sum of theplaintext point and the multiplied public key point if the judgment isnegative.

Here, the elliptic curve may be defined over a finite field GF(2^(m)) byan equationy ² +xy=x ³ +ax ² +b

where m is a natural number, with a generator polynomial in GF(2^(m))being denoted by f(x) whose root is α, wherein the third calculationunit judges, as the predetermined condition, whether a coefficient of aterm α^(s) in the generator polynomial of a y coordinate of themultiplied base point by α is equal to a coefficient of a term α^(s) inthe generator polynomial of the x coordinate of the multiplied basepoint by α, where s denotes a lowest degree among terms with nonzerocoefficients in the generator polynomial of the x coordinate of themultiplied base point by α.

Here, the acquisition unit in the decryption device may acquire theciphertext from the above encryption device, wherein the decryption unitincludes: a detection unit operable to detect s which is a lowest degreeamong terms with nonzero coefficients in the generator polynomial of thex coordinate included in the acquired ciphertext by α; a solution unitoperable to substitute the x coordinate included in the acquiredciphertext into the equation y^(2+xy=x) ³+ax²+b to find two solutions y,select, out of the two solutions y, a solution y whose generatorpolynomial by α includes a term α^(s) that has an equal coefficient to aterm α^(s) in the generator polynomial of the x coordinate included inthe acquired ciphertext by α, and generate a first decryption pointwhich is made up of the x coordinate included in the acquired ciphertextand the selected solution y as a y coordinate; a scalar multiplicationunit operable to multiply the first decryption point by a secret keywhich is a scalar to generate a second decryption point, the public keypoint having been generated by multiplying the base point on theelliptic curve by the secret key; and a decrypted text calculation unitoperable to subtract the second decryption point from the sum pointincluded in the acquired ciphertext, and apply an inverse conversionfunction for converting a point on the elliptic curve to a correspondingscalar, to a point obtained as a result of the subtraction to generatethe decrypted text.

According to these constructions, the present invention can be appliedto an elliptic curve on GF(2^(m)).

Here, the elliptic curve may be defined over a finite field GF(p) by anequationy ² =x ³ +a×x+b

where p is a prime, wherein the plaintext stored in the storage unit inthe encryption device is a scalar, and the encryption unit includes: arandom number generation unit operable to generate a random number whichis a scalar; a second calculation unit operable to multiply a public keypoint on the elliptic curve by the random number; a conversion unitoperable to apply a conversion function for converting a scalar to acorresponding point on the elliptic curve, to the plaintext to generatea plaintext point on the elliptic curve; a third calculation unitoperable to add the plaintext point and the multiplied public key pointto obtain a sum point; a first calculation unit operable to judgewhether a y coordinate of the sum point is smaller than (p−1)/2, andmultiply a base point on the elliptic curve by the random number if thejudgment is affirmative, and multiply the base point on the ellipticcurve by a corresponding negative number of the random number if thejudgment is negative; and a generation unit operable to generate theciphertext that includes the multiplied base point and an x coordinateof the sum point which is the encryption point.

Here, the acquisition unit in the decryption device may acquire theciphertext from the above encryption device, wherein the decryption unitincludes: a square root calculation unit operable to substitute the xcoordinate included in the acquired ciphertext into the equation y^(2=x)³+a×x+b to find two solutions y, select one of the two solutions y thatis smaller than (p−1)/2, and generate a first decryption point which ismade up of the x coordinate included in the acquired ciphertext and theselected solution y as a y coordinate; a scalar multiplication unitoperable to multiply the multiplied base point included in the acquiredciphertext by a secret key which is a scalar to generate a seconddecryption point, the public key point having been generated bymultiplying the base point on the elliptic curve by the secret key; anda decrypted text calculation unit operable to subtract the seconddecryption point from the first decryption point, and apply an inverseconversion function for converting a point on the elliptic curve to acorresponding scalar, to a point obtained as a result of the subtractionto generate the decrypted text.

According to these constructions, the present invention can be appliedto an elliptic curve on GF(p).

Here, the elliptic curve may be defined over a finite field GF(p) by anequationy ² =x ³ +a×x+b

where p is a prime, wherein the plaintext stored in the storage unit inthe encryption device is a scalar, and the encryption unit includes: arandom number generation unit operable to generate a random number whichis a scalar; a first calculation unit operable to multiply a base pointon the elliptic curve by the random number; a second calculation unitoperable to multiply a public key point on the elliptic curve by therandom number; a third calculation unit operable to perform anexclusive-OR operation on the plaintext and an x coordinate of themultiplied public key point; and a generation unit operable to generatethe ciphertext that includes an exclusive-OR value obtained as a resultof the exclusive-OR operation and an x coordinate of the multiplied basepoint which is the encryption point.

Here, the acquisition unit in the decryption device may acquire theciphertext from the above encryption device, wherein the decryption unitincludes: a square root calculation unit operable to substitute the xcoordinate included in the acquired ciphertext into the equationy²=x³+a×x+b to find two solutions y, select one of the two solutions ythat is smaller than (p−1)/2, and generate a first decryption pointwhich is made up of the x coordinate included in the acquired ciphertextand the selected solution y as a y coordinate; a scalar multiplicationunit operable to multiply the first decryption point by a secret keywhich is a scalar to generate a second decryption point, the public keypoint having been generated by multiplying the base point on theelliptic curve by the secret key; and a decrypted text calculation unitoperable to perform an exclusive-OR operation on the exclusive-OR valueincluded in the acquired ciphertext and an x coordinate of the seconddecryption point, to generate the decrypted text.

According to these constructions, the data size of the transferredciphertext can further be reduced.

Here, the plaintext stored in the storage unit in the encryption devicemay be a content key, wherein the encryption unit generates theciphertext by encrypting the content key, and the encryption devicefurther includes: a content encryption unit operable to encrypt contentusing the content key; and a content output unit operable to output theencrypted content.

Here, the acquisition unit in the decryption device may acquire theciphertext and the encrypted content from the above encryption device,wherein the decryption unit decrypts the ciphertext to generate thedecrypted text which is a decrypted content key, and the decryptiondevice further includes: a content decryption unit operable to decryptthe encrypted content using the decrypted content key to generatedecrypted content; and content playback unit operable to play back thedecrypted content.

According to these constructions, when encrypting content using acontent key and decrypting the encrypted content using the content key,the data size of an encrypted content key as a transferred ciphertextcan be reduced.

Thus, the data size of the transferred ciphertext can be reduced byomitting the y coordinate of the elliptic curve point from theciphertext, which contributes to high practicality.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 shows a construction of a content delivery system to which thefirst embodiment of the present invention relates.

FIG. 2 is a block diagram showing a construction of a content deliverydevice shown in FIG. 1.

FIG. 3 shows a data structure of transmission information which istransmitted from a send/receive unit in the content delivery device toeach content reception device.

FIG. 4 is a block diagram showing a construction of a content receptiondevice shown in FIG. 1.

FIG. 5 is a flowchart showing an overall operation of the contentdelivery system shown in FIG. 1.

FIG. 6 is a flowchart showing an operation of generating encryptedcontent key information EKC by a key information generation unit in thecontent delivery device shown in FIG. 2.

FIG. 7 is a flowchart showing an operation of generating encryptedcontent key EKC_(i) by a key encryption unit in the key informationgeneration unit.

FIG. 8 is a flowchart showing an operation of generating decryptedcontent key KC′ by a key decryption unit in the content reception deviceshown in FIG. 4.

FIG. 9 shows a data structure of transmission information which istransmitted from the send/receive unit in a content delivery device toeach content reception device in the second embodiment of the presentinvention.

FIG. 10 is a flowchart showing an operation of generating encryptedcontent key EKC_(i) by a key encryption unit in a key informationgeneration unit in the content delivery device of the second embodiment.

FIG. 11 is a flowchart showing an operation of generating decryptedcontent key KC′ by a key decryption unit in a content reception deviceof the second embodiment.

FIG. 12 is a block diagram showing a construction of a key informationgeneration unit in a content delivery device of the third embodiment ofthe present invention.

FIG. 13 shows a data structure of transmission information which istransmitted from the send/receive unit in the content delivery device toeach content reception device in the third embodiment.

FIG. 14 is a block diagram showing a construction of a key decryptionunit in a content reception device of the third embodiment.

FIG. 15 is a flowchart showing an operation of generating encryptedcontent key information EKC by the key information generation unit shownin FIG. 12.

FIG. 16 is a flowchart showing an operation of generating decryptedcontent key KC′ by the key decryption unit shown in FIG. 14.

BEST MODE FOR CARRYING OUT THE INVENTION 1. First Embodiment

The following describes a content delivery system 10 to which the firstembodiment of the present invention relates.

1.1. Construction of the Content Delivery System 10

FIG. 1 shows a construction of the content delivery system 10. As shownin the drawing, the content delivery system 10 is roughly made up of onecontent delivery device 100 and n content reception devices 200 ₁, 200₂, . . . , 200 _(i), . . . , 200 _(n). Here, n is a natural number. Forexample, when n=1,000,000, the content delivery system 10 includes1,000,000 content reception devices. The content delivery device 100 isconnected to the content reception devices 200 ₁, 200 ₂, . . . , 200_(n) via the Internet 20.

The content delivery device 100 generates content key KC for content Cwhich is a digital work of a movie or the like, and encrypts content Cusing content key KC according to encryption algorithm Enc₁ of a secretkey cipher to generate encrypted content EC. The content delivery device100 also encrypts content key KC according to encryption algorithm Enc₂of a public key cipher to generate encrypted content key informationEKC, and transmits encrypted content EC and encrypted content keyinformation EKC to each of the content reception devices 200 ₁, 200 ₂, .. . , 200 _(n) via the Internet 20.

The content reception device 200 ₁ receives encrypted content EC andencrypted content key information EKC from the content delivery device100 via the Internet 20, and decrypts encrypted content key informationEKC according to decryption algorithm Dec₂ of the public key cipher togenerate decrypted content key KC′. The content reception device 200 ₁then decrypts encrypted content EC using decrypted content key KC′according to decryption algorithm Dec₁ of the secret key cipher togenerate decrypted content C′, and plays back decrypted content C′. Theother content reception devices 200 ₂, . . . , 200 _(n) are the same asthe content reception device 200 ₁.

Here, decryption algorithm Dec₁ is an algorithm for decrypting aciphertext that is generated according to encryption algorithm Enc₁, anddecryption algorithm Dec₂ is an algorithm for decrypting a ciphertextthat is generated according to encryption algorithm Enc₂.

It should be noted that a subscript of a reference sign given to each ofthe content reception devices 200 ₁, 200 ₂, . . . , 200 _(n) is a deviceID number that uniquely identifies the content reception device. Forinstance, the content reception device 200 i is uniquely identified bythe device ID number “i”.

1.2. Elliptic Curve Cryptography and Elliptic Curve Parameters

In the content delivery system 10, elliptic curve cryptography is usedas the above public key cipher. Elliptic curve cryptography is describedin detail in T. Okamoto & H. Yamamoto Modern Encryption, Sangyo Tosho,1997. The following briefly explains parameters of elliptic curve E₁that is used in the content delivery system 10.

Let elliptic curve E₁ be defined by an equation of the formy ² =x ³ +a×x+b

where x and y are variables and a and b are constants. Also, a×x denotesmultiplication of a and x. Constants a and b are natural numbers. Singleelliptic curve E₁ is determined by these constants a and b. In general,elliptic curve E₁ is defined on field of definition GF(p^(m)) which is afinite field, where p is a prime and m is a natural number. Let m=1 sothat the field of definition of elliptic curve E₁ is GF(p), forsimplicity's sake.

1.3. Elliptic Curve Discrete Logarithm Problem

A discrete logarithm problem is used as a basis for the security ofpublic key cryptography. Representative examples of the discretelogarithm problem are a problem defined on a finite field and a problemdefined on an elliptic curve. The discrete logarithm problem isdescribed in detail in Neal Koblitz A Course in Number Theory andCryptography, Springer-Verlag, 1987.

The elliptic curve discrete logarithm problem is the following.

Let E(GF(p)) be an elliptic curve defined over finite field GF(p), withpoint G on elliptic curve E, given when the order of E is divisible by alarge prime, being set as a base point. This being so, the problem is tofind integer x such thatY=x*G

where Y is a given point on E, if such integer x exists.

The reason the discrete logarithm problem assists in the security ofpublic key cryptography is that the above computation of x is extremelydifficult for finite field GF(p) having a large number of elements.

1.4. Construction of the Content Delivery Device 100

FIG. 2 is a block diagram showing a construction of the content deliverydevice 100. In the drawing, the content delivery device 100 includes asend/receive unit 101, a content key generation unit 102, a contentencryption unit 103, a public key storage unit 104, a key informationgeneration unit 105, a content storage unit 106, and a control unit 107.The control unit 107 is connected to an input unit 108 and a displayunit 109.

The content delivery device 100 is actually realized by a computersystem that includes a microprocessor, a ROM, a RAM, a hard disk unit,and a communication unit. A computer-readable program is stored in theRAM or the hard disk unit. Functions of the content delivery device 100are realized by the microprocessor operating according to thiscomputer-readable program.

(1) Public Key Storage Unit 104

The public key storage unit 104 stores public keys KP₁, KP₂, . . . ,KP_(n) of the content reception devices 200 ₁, 200 ₂, . . . , 200 _(n)respectively, in advance.

Public keys KP₁, KP₂, . . . , KP_(n) are each a point on elliptic curveE₁ calculated as follows:KP ₁ =ks ₁ *GKP ₂ =ks ₂ *G

KP _(n) =ks _(n) *G

where ks₁, ks₂, . . . , ks_(n) are secret keys of the content receptiondevices 200 ₁, 200 ₂, . . . , 200 _(n) respectively, and G is a basepoint on elliptic curve E₁ in elliptic curve ElGamal. In thisspecification, a*B denotes a point on an elliptic curve obtained byadding point B on the elliptic curve to itself (a−1) times. Forinstance, ks₁*G is a point on elliptic curve E₁ obtained by adding basepoint G to itself (ks₁−1) times. This operation is hereafter calledelliptic curve point multiplication (which can also be called ellipticcurve exponentiation/scalar multiplication).

(2) Content Storage Unit 106

The content storage unit 106 stores content C which is adigital work ofamovie or the like, in advance. Content C is generated by compressingvideo data and audio data of the digital work according to the MPEG2(Moving Picture Experts Group 2) standards that define video and audiocompression/coding techniques.

(3) Content Key Generation Unit 102

The content key generation unit 102 generates a 160-bit random numberfor content C stored in the content storage unit 106, and sets thegenerated random number as content key KC. The content key generationunit 102 outputs content key KC to the content encryption unit 103 andthe key information generation unit 105.

(4) Content Encryption Unit 103

The content encryption unit 103 reads content C form the content storageunit 106, and receives content key KC from the content key generationunit 102.

The content encryption unit 103 encrypts content C using content key KCaccording to encryption algorithm Enc₁ of the secret key cipher, togenerate encrypted contentEC=Enc ₁(KC,C)

Here, Enc₁(KC,C) is a ciphertext generated by applying encryptionalgorithm Enc₁ of the secret key cipher to content C using content keyKC. For example, DES may be used as the secret key cipher. Other secretkey ciphers, such as AES (Advanced Encryption Standard) are equallyapplicable. Secret key cryptography is described in detail in T. Okamoto& H. Yamamoto Modern Encryption, Sangyo Tosho, 1997.

The content encryption unit 103 outputs encrypted content EC to thesend/receive unit 101.

(5) Key Information Generation Unit 105

The key information generation unit 105 includes a key encryption unit111, a counter setting unit 112, a counter increment unit 113, a counterjudgment unit 114, an output unit 115, a key control unit 116, aparameter storage unit 117, and a counter 118, as shown in FIG. 2.

The parameter storage unit 117 stores base point G, constant a, constantb, and prime p beforehand.

The counter setting unit 112 sets counter i in the counter 118 to 1.

The key encryption unit 111 generates encrypted content key EKC_(i)corresponding to the content reception device 200 _(i), in the followingway.

(a) Generate 160-bit random number k_(i).

(b) Read base point G, constant a, and prime p from the parameterstorage unit 117, and calculatePC _(i) =k _(i) *G

using random number k_(i), base point G, constant a, and prime p.

Here, elliptic curve point multiplication is performed as follows.

Take 100*P as one example.

100*P can be expressed as100*P=2(2(P+2(2(2(P+2P)))))

which indicates that 100*P is computed by performing six doublingoperations and two addition operations on point P on an elliptic curve.

Thus, elliptic curve point multiplication is achieved through additionand doubling operations.

Let elliptic curve E₁ be defined byy ² =x ³ +a×x+b

Given two points P=(x₁,y₁) and Q=(x₂,y₂) on elliptic curve E₁, R=(x₃,y₃)is a point on elliptic curve E₁ such that R=P+Q.

When P≠Q, R=P+Q is an addition operation using addition formulas thatarex ₃={(y ₂ −y ₁)/(x ₂ −x ₁)}² −x ₁ −x ₂y ₃={(y ₂ −y ₁)/(x ₂ −x ₁)}(x ₁ −x ₃)−y ₁

When P=Q, on the other hand, R=P+Q=P+P=2×P, so that R=P+Q is a doublingoperation using doubling formulas that arex ₃={(3x ₁ ² +a)/2y ₁}²−2x ₁y ₃={(3x ₁ ² +a)/2y ₁}(x ₁ −x ₃)−y ₁

Note that the above operations are carried out on finite field GF(p)where elliptic curve E₁ is defined.

For details on elliptic curve algorithms, see “Efficient Elliptic CurveExponentiation” in Miyaji, Ono & Cohen Advances inCryptology-Proceedings of ICICS'97, Lecture Notes in Computer Science,Springer-Verlag, 1997, pp. 282-290.

(c) Read public key KP_(i) from the public key storage unit 104, andcalculatek_(i)*KP_(i)

using random number k_(i), public key KP_(i), constant a, and prime p.

Here, elliptic curve point multiplication is performed as explainedabove.

(d) Receive content key KC from the content key generation unit 102, andconvert content key KC to point P_KC=f(KC) on elliptic curve E₁ usingconversion function f. Conversion function f is explained in detaillater.

(e) CalculateP_KC+k_(i)*KP_(i)

(f) Read prime p from the parameter storage unit 117, and judge whethery(PC_(i)), which is they coordinate of point PC_(i), satisfiesy(PC _(i))<(p−1)/2

If y(PC_(i))<(p−1)/2, setC _(i) =P _(—) KC+k _(i) *KP _(i)

If y(PC_(i))≧(p−1)/2, setC _(i)=−(P _(—) KC+k _(i) *KP _(i))

(g) Output x(PC_(i)), which is the x coordinate of point PC_(i), andpoint C_(i) to the output unit 115 as encrypted content key EKC_(i).

The counter judgment unit 114 judges whether counter i is n.

The counter increment unit 113 increments counter i by 1, if the counterjudgment unit 114 judges that i≠n. After this, the above procedure (a)to (g) is repeated.

The output unit 115 outputs encrypted content keys EKC₁, EKC₂, EKC₃, . .. , EKC_(n) to the send/receive unit 101 as encrypted content keyinformation EKC, if the counter judgment unit 114 judges that i=n.

The key control unit 116 controls the construction elements in the keyinformation generation unit 105.

The above procedure (a) to (g) employs a modification to theconventional elliptic curve ElGamal cipher. The difference from theconventional elliptic curve ElGamal cipher lies in the following point.While a ciphertext is made up of C₁ and PC_(i) in the conventionalelliptic curve ElGamal cipher, a ciphertext is made up of C_(i) and thex coordinate of PC_(i) in the modified cipher of this embodiment. Inother words, the main feature of this embodiment is that informationrelating to the y coordinate of PC_(i) is not included at all (not even1 bit) in encrypted content key information EKC.

(6) Send/Receive Unit 101

The send/receive unit 101 receives encrypted content EC from the contentencryption unit 103, and encrypted content key information EKC from thekey information generation unit 105. The send/receive unit 101 transmitsencrypted content EC and encrypted content key information EKC to eachof the content reception devices 200 ₁, 200 ₂, . . . , 200 _(n) via theInternet 20.

FIG. 3 shows a data structure of transmission information 301 that istransmitted from the send/receive unit 101 to each of the contentreception devices 200 ₁, 200 ₂, . . . , 200 _(n). As illustrated, thetransmission information 301 is composed of encrypted content EC 302 andencrypted content key information EKC 303. The encrypted content keyinformation EKC 303 contains n encrypted content keys 311, 312, . . . ,313. The ith encrypted content key, i.e. EKC_(i), includes x(PC_(i))(the x coordinate of PC_(i)) and C_(i).

Lengths of x(PC_(i)) and C_(i) are fixed. In detail, x(PC_(i)) is 160bits long whereas C_(i) is 320 bits long. In encrypted content keyinformation EKC, the n encrypted content keys are arranged in the orderof the device ID numbers assigned to the n content reception devices 200₁, 200 ₂, . . . , 200 _(n), so as to correspond one-to-one with the ncontent reception devices 200 ₁, 200 ₂, . . . , 200 _(n). This being so,an encrypted content key corresponding to a content reception device canbe specified by a device ID number assigned to that content receptiondevice.

As one example, x(PC₁) (the x coordinate of PC₁) and C₁ which constituteencrypted content key EKC₁ corresponding to the content reception device200 ₁ with the device ID number “1” can be obtained by extracting480(=160+320) bits from the start of encrypted content key informationEKC.

In general, x(PC_(i)) (the x coordinate of PC_(i)) and C_(i) whichconstitute encrypted content key EKC_(i) corresponding to the contentreception device 200 _(i) with the device ID number “i” can be obtainedby extracting 480 bits beginning with the (1+(i−1)×480)th bit from thestart of encrypted content key information EKC.

(7) Control Unit 107, Input Unit 108, and Display Unit 109

The control unit 107 controls the construction elements in the contentdelivery device 100.

The input unit 108 receives an input of information or an instructionfrom an operator of the content delivery device 100, and outputs thereceived information or instruction to the control unit 107.

The display unit 109 displays various information under control of thecontrol unit 107.

1.5. Construction of the Content Reception Devices 200 ₁, 200 ₂, . . . ,200 _(n)

The content reception devices 200 ₁, 200 ₂, . . . , 200 _(n) have thesame construction. The following describes the construction of thecontent reception device 200 _(i) as one example.

FIG. 4 is a block diagram showing the construction of the contentreception device 200 _(i). As shown in the drawing, the contentreception device 200 _(i) includes a send/receive unit 201, a secret keystorage unit 202, a content decryption unit 203, a key decryption unit204, a playback unit 205, a control unit 206, an input unit 207, amonitor 208, a speaker 209, and a parameter storage unit 210.

The content reception device 200 _(i) is actually realized by a computersystem that includes a microprocessor, a ROM, and a RAM, like thecontent delivery device 100. A computer-readable program is stored inthe RAM. Functions of the content reception device 200 _(i) are realizedby the microprocessor operating in accordance with thiscomputer-readable program.

It is to be noted here that the subscript “i” of the reference sign “200_(i)” is a device ID number that uniquely identifies the contentreception device 200 _(i).

(1) Secret Key Storage Unit 202 and Parameter Storage Unit 210

The secret key storage unit 202 stores 160-bit secret key ks_(i) insecrecy, beforehand. The secret key storage unit 202 is accessible onlyby the key decryption unit 204.

Secret key ks_(i) corresponds to public key KP_(i). As mentioned above,public key KP_(i) is calculated byKP _(i) =ks _(i) *G

The parameter storage unit 210 stores base point G, constant a, constantb, and prime p in advance.

(2) Send/Receive Unit 201

The send/receive unit 201 receives encrypted content EC and encryptedcontent key information EKC from the content delivery device 100 via theInternet 20. The send/receive unit 201 outputs encrypted content EC tothe content decryption unit 203, and encrypted content key informationEKC to the key decryption unit 204.

(3) Key Decryption Unit 204

The key decryption unit 204 includes a square root calculation unit 211,a scalar multiplication unit 212, and a content key calculation unit213, as shown in FIG. 4.

(Square Root Calculation Unit 211)

The square root calculation unit 211 stores the device ID number “i”assigned to the content reception device 200 _(i), beforehand.

The square root calculation unit 211 receives encrypted content keyinformation EKC from the send/receive unit 201, and reads the device IDnumber “i”. The square root calculation unit 211 specifies x(PC_(i))(the x coordinate of PC_(i)) corresponding to the content receptiondevice 200 _(i) in encrypted content key information EKC using thedevice ID number “i”, as explained above. The square root calculationunit 211 extracts x(PC_(i)) from encrypted content key information EKC.

The square root calculation unit 211 then finds, for x(PC_(i)), twosquare roots rt ofz=x(PC _(i))³ +a×x(PC _(i))+b

on GF(p).

Here, one of two square roots rt is smaller than (p−1)/2 and the otheris no smaller than (p−1)/2. The square root calculation unit 211 selectssquare root rt that is smaller than (p−1)/2. The square root calculationunit 211 then setsPC _(i)′=(x(PC _(i)),rt)

using extracted x(PC_(i)) and selected rt. The square root calculationunit 211 outputs PCi′ to the scalar multiplication unit 212.

Square root calculation is described in detail in Henri Cohen A Coursein Computational Algebraic Number Theory (Graduate Texts in Mathematics,Vol. 138), Springer-Verlag, 1993, pp. 31-33.

The following explains how to find square root rt on GF(p) when p=3 mod4. For details of other square root calculation methods, see the abovedocument by Cohen.

Here, “d mod e” denotes a remainder when dividing d by e.

Square root rt of z is either z^(((p+1)/4)) or −z^(((p+1)/4)).

In general,z ^((p−1))=1 mod p

holds true. This being so,z ^((p+1)) =z ² mod p

so thatz ^(((p+1)/4))=(z ²)^(1/4) =z ^(1/2)

which is a square root of z.

(Scalar Multiplication Unit 212)

The scalar multiplication unit 212 reads secret key ks_(i) from thesecret key storage unit 202, and receives PC_(i)′ from the square rootcalculation unit 211. The scalar multiplication unit 212 also readsconstant a and prime p from the parameter storage unit 210, and computespointks_(i)*PC_(i)′

by multiplying PC_(i)′ by ks_(i), using constant a, prime p, and secretkey ks_(i).

Here, elliptic curve point multiplication is performed as describedabove.

The scalar multiplication unit 212 outputs point ks_(i)*PC_(i)′ to thecontent key calculation unit 213.

(Content Key Calculation unit 213)

The content key calculation unit 213 receives point ks_(i)*PC_(i)′ fromthe scalar multiplication unit 212, and calculatesP _(—) KC′=C _(i) −ks _(i) *PC _(i)′

using C_(i) included in encrypted content key EKC_(i) in encryptedcontent key information EKC. The content key calculation unit 213 thenconverts P_KC′ to an integer to thereby obtain decrypted content keyKC′=f ⁻¹(P _(—) KC′)

Here, f⁻¹ is an inverse of conversion function f. Decrypted content keyKC′ obtained in this way is expected to be equal to content key KC. Thecontent key calculation unit 213 outputs decrypted content key KC′ tothe content decryption unit 203.

(4) Content Decryption Unit 203

The content decryption unit 203 receives encrypted content EC from thesend/receive unit 201, and decrypted content key KC′ from the keydecryption unit 204. The content decryption unit 203 decrypts encryptedcontent EC using decrypted content key KC′ according to decryptionalgorithm Dec₁ of the secret key cipher, to generate decrypted contentC′=Dec ₁(KC′,EC)

Here, Dec₁(KC′,EC) is a decrypted text obtained by applying decryptionalgorithm Dec₁ of the secret key cipher to encrypted content EC usingdecrypted content key KC′.

The content decryption unit 203 outputs decrypted content C′ to theplayback unit 205.

(5) Playback Unit 205, Control Unit 206, Input Unit 207, Monitor 208,and Speaker 209

The playback unit 205 receives decrypted content C′ from the contentdecryption unit 203, and obtains video data and audio data fromdecrypted content C′. The playback unit 205 converts the video data andaudio data to an analog video signal and audio signal, and outputs themrespectively to the monitor 208 and the speaker 209.

The monitor 208 receives the analog video signal from the playback unit205, and displays images.

The speaker 209 receives the analog audio signal from the playback unit205, and outputs sounds.

The control unit 206 controls the construction elements in the contentreception device 200 _(i).

The input unit 207 receives an instruction from a user of the contentreception device 200 _(i), and outputs the received instruction to thecontrol unit 206.

1.6. Conversion Function f and Inverse Conversion Function f⁻¹

Conversion function f and inverse conversion function f⁻¹ are explainedbelow.

Conversion function f converts an integer which has a smaller bit sizethan field of definition GF(p), to a corresponding point on ellipticcurve E₁. Meanwhile, inverse conversion function f⁻¹ converts a point onelliptic curve E₁ to a corresponding integer which has a smaller bitsize than field of definition GF(p). Conversion function f is aninjection. Any function can be used so long as the following twoconditions are satisfied:f ⁻¹(f(v))=v

where v is an integer; andf ⁻¹(−P)=f ⁻¹(P)

where P is a point on elliptic curve E₁. For details of conversion, seeNeal Koblitz A Course in Number Theory and Cryptography,Springer-Verlag, 1987, pp. 162-163.

A conversion method described in the above document by Koblitz isexplained below.

(1) The bit size of field of definition GF(p) is denoted by lenp, andthe bit size of v is denoted by lenp−10. That is, v is 10 bits smallerthan field of definition GF(p). Let c=0 and x_fv=c∥v. This being so,judge whether(x _(—) fv)³ +a×x _(—) fv+b

is a quadratic residue on GF(p).

(2) If the judgment is affirmative, find square root y_fv of(x_fv)³+a×x_fv+b, and set f(v)=(x_fv,y_fv).

(3) If the judgment is negative, increment c by 1 and set x_fv=c∥v. Thenjudge once again whether(x _(—) fv)³ +a×x _(—) fv+b

is a quadratic residue on GF(p). If the judgment is affirmative, findsquare root y_fv of (x_fv)³+a×x_fv+b, and set f(v)=(x_fv,y_fv). If thejudgment is negative, increment c by 1, and perform the same judgment.This is repeated until (x_fv)³+a×x_fv+b which is a quadratic residue onGF(p) is obtained.

An inverse conversion method f⁻¹(P_fv) is explained next.

When P_fv=(x_fv,y_fv), f⁻¹(P_fv) is set as a number represented by thelower (lenp−10) bits of x_fv. According to this method, it is obviousthatf ⁻¹(f(v))=v

Also, since f⁻¹(P_fv) is the lower bits of the x coordinate of P_fv, itis obvious thatf ⁻¹(−P)=f ⁻¹(P)

As mentioned earlier, conversion function f and inverse conversionfunction f⁻¹ are not limited to those described in the above document byKoblitz, so long as function f is an injection, f⁻¹(f(v))=v holds truewhere v is an integer, and f⁻¹(−P)=f⁻¹(P) holds true where P is a pointon elliptic curve E₁.

1.7. Reason that Decrypted Content Key KC′ is Equal to Content Key KC

If f⁻¹(P_KC′)=f⁻¹(P_KC), decrypted content key KC′ is equal to contentkey KC. The reason that f⁻¹(P_KC′)=f⁻¹(P_KC) holds true is given below.

On an elliptic curve defined over GF(p), −P which is a correspondingnegative point of P=(x₁,y_(l)) is generally given by −P=(x₁, −y₁).Square root rt satisfiesrt ² =x(PC _(i))³ +a×x(PC _(i))+b

Likewise, y(PC_(i)) which is the y coordinate of point PC_(i) satisfiesy(PC _(i))² =x(PC _(i))³ +a×x(PC _(i))+b

Hencey(PC _(i))=rt

ory(PC _(i))=−rt

If y(PC_(i))=rt, that is, y(PC_(i))<(p−1)/2, then PC_(i)=PC_(i)′.Substituting PC_(i)=PC_(i)′ and C₁=P_KC+k_(i)*KP_(i) yieldsP_KC′=C_(i) −ks _(i) *PC _(i) ′=P _(—) KC+k _(i) *KP _(i) −ks _(i) *PC_(i)

Here,k _(i) *KP _(i) =k _(i) *ks _(i) *G=ks _(i) *PC _(i)

so thatP_(—) KC′=P_KC

Thereforef ⁻¹(P _(—) KC′)=f ⁻¹(P _(—) KC)

is true.

On the other hand, if y(PC_(i))=−rt, that is, y(PC_(i))≧(p−1)/2, thenPC_(i)′=−PC_(i). Substituting PC_(i)′=−PC_(i) andC_(i)=−(P_KC+k_(i)*KP_(i)) yieldsP _(—) KC′=C _(i) −ks _(i) *PC _(i)′=−(P _(—) KC+k _(i) *KP _(i))−ks_(i)*(−PC _(i))=−P _(—) KC

Given thatf ⁻¹(−P _(—) KC)=f ⁻¹(P_KC)

thenf ⁻¹(P _(—) KC)=f ⁻¹(P _(—) KC)

is true.

As demonstrated above,f ⁻¹(P _(—) KC′)=f ⁻¹(P _(—) KC)

is true, so that decrypted content key KC′ is equal to content key KC.

1.8. Operations of the Content Delivery System 10

The following describes operations of the content delivery system 10.

(1) Overall Operation of the Content Delivery System 10

FIG. 5 is a flowchart showing an overall operation of the contentdelivery system 10.

In the content delivery device 100, the content key generation unit 102generates content key KC (S101), and the content encryption unit 103encrypts content C using content key KC to generate encrypted content EC(S102). Also, the key information generation unit 105 generatesencrypted content key information EKC (S103). The send/receive unit 101transmits encrypted content EC and encrypted content key information EKCto each of the content reception devices 200 ₁, 200 ₂, . . . , 200 _(n)via the Internet 20 (S104).

In the content reception device 200 _(i) as an example of the contentreception devices 200 _(1, 200) ₂, . . . , 200 _(n), the send/receiveunit 201 receives encrypted content EC and encrypted content keyinformation EKC from the content delivery device 100 via the Internet 20(S104). The key decryption unit 204 decrypts encrypted content keyEKC_(i) included in encrypted content key information EKC using secretkey ks_(i) stored in the secret key storage unit 202, to generatedecrypted content key KC′ (S105). The content decryption unit 203decrypts encrypted content EC using decrypted content key KC′, togenerate decrypted content C′ (S106). The playback unit 205 plays backdecrypted content C′ (S107).

(2) Operation of Generating Encrypted Content Key Information EKC

FIG. 6 is a flowchart showing an operation of generating encryptedcontent key information EKC by the key information generation unit 105in the content delivery device 100. This operation corresponds to stepS103 in FIG. 5.

The counter setting unit 112 sets counter i to 1 (S121).

The key encryption unit 111 generates encrypted content key EKC_(i)corresponding to the content reception device 200 _(i) (S122). Thecounter judgment unit 114 judges whether i=n (S123). If i≠n, the counterincrement unit 113 increments i by 1 (S124). The operation then returnsto step S122.

If i=n, the output unit 115 outputs encrypted content keys EKC₁, EKC₂,EKC₃, . . . , EKC_(n) to the send/receive unit 101 as encrypted contentkey information EKC (S125).

(3) Operation of Generating Encrypted Content Key EKC_(i)

FIG. 7 is a flowchart showing an operation of generating encryptedcontent key EKC_(i) by the key encryption unit 111 in the keyinformation generation unit 105. This operation corresponds to step S122in FIG. 6.

The key encryption unit 111 generates random number k_(i) (S141), andcalculates PC_(i)=k_(i)*G (S142). The key encryption unit 111 alsocalculates k_(i)*KP_(i) (S143). The key encryption unit 111 convertscontent key KC to point P_KC=f (KC) on elliptic curve E₁ (S144). The keyencryption unit 111 then calculates P_KC+k_(i)*KP_(i) (S145).

After this, the key encryption unit 111 judges whether y(PC_(i)), whichis the y coordinate of PC_(i), satisfies y(PC_(i))<(p−1)/2 (S146). Ify(PC_(i))<(p−1)/2, the key encryption unit 111 setsC_(i)=P_KC+k_(i)*KP_(i) (S148). Otherwise, the key encryption unit 111sets C_(i)=−(P_KC+k_(i)*KP_(i)) (S147).

The key encryption unit 111 outputs x(PC_(i)), which is the x coordinateof PC_(i), and C_(i) as encrypted content key EKC_(i) (S149).

(4) Operation of Generating Decrypted Content Key KC′

FIG. 8 is a flowchart showing an operation of generating decryptedcontent key KC′ by the key decryption unit 204 in the content receptiondevice 200 i. This operation corresponds to step S105 in FIG. 5.

The square root calculation unit 211 calculates two square roots rt ofx(PC_(i))³+a×x(PC_(i))+b for x(PC_(i)) which is included in encryptedcontent key EKC_(i) (S161). The square root calculation unit 211 selectssquare root rt, out of two square roots rt, that satisfies rt<(p−1)/2(S162). The square root calculation unit 211 then generatesPC_(i)′=(x(PC_(i)),rt) (S163).

Next, the scalar multiplication unit 212 calculates point ks_(i)*PC_(i)′by multiplying PC_(i)′ by ks_(i) (S164).

Following this, the content key calculation unit 213 calculatesP_KC′=C_(i)−ks_(i)*PC_(i)′ (S165). The content key calculation unit 213then converts P_KC′ to an integer to thereby generate decrypted contentkey KC′=f⁻¹(P_KC′) (S166).

Such decrypted content key KC′ is expected to be equal to content keyKC.

1.9. Effects of the First Embodiment

The following examines the data size of encrypted content key EKC_(i) inthe content delivery system 10.

For simplicity's sake, field of definition GF(p) of elliptic curve E₁ isassumed to be 160 bits long that is currently recommended in ellipticcurve cryptography.

Encrypted content key EKC_(i) corresponding to one content receptiondevice 200 _(i) is made up of one point C_(i) and the x coordinate ofone point PC_(i), i.e. x(PC_(i)). C_(i) is made up of x and ycoordinates that are each 160 bits long, and therefore is 320 bits long.The x coordinate of PC_(i) is 160 bits long. Hence encrypted content keyEKC_(i) is 320+160=480 bits (=60 bytes).

The data size of each encrypted content key in the conventionaltechnique is 80 bytes. Accordingly, the content delivery system 10 ofthe first embodiment enables the data size of each encrypted content keyto be reduced by ¾, when compared with that of the conventionaltechnique.

Suppose the number n of content reception devices is 1,000,000.According to the first embodiment, the data size of encrypted contentkey information EKC is 60×1,000,000=60,000,000 bytes (=60 megabytes).According to the conventional technique, meanwhile, the data size ofencrypted content key information is 80×1,000,000=80,000,000 bytes (=80megabytes).

Thus, the content delivery system 10 of the first embodiment enables thedata size of encrypted content key information to be reduced by 20megabytes, when compared with that of the conventional technique.

2. Second Embodiment

The following describes a content delivery system 10 b (not illustrated)to which the second embodiment of the present invention relates.

The content delivery system 10 b has a similar construction to thecontent delivery system 10 of the first embodiment. The followingdescription focuses on the differences from the content delivery system10.

Like the content delivery system 10, the content delivery system 10 b isroughly made up of one content delivery device 100 b and n contentreception devices 200 b ₁, 200 b ₂, . . . , 200 b _(i), . . . , 200 b_(n). The content delivery device 100 b is connected to each of thecontent reception devices 200 b ₁, 200 b ₂, . . . , 200 b _(n) via theInternet 20.

2.1. Construction of the Content Delivery Device 100 b

The content delivery device 100 b has a similar construction to thecontent delivery device 100. In detail, the content delivery device 100b includes the send/receive unit 101, the content key generation unit102, the content encryption unit 103, the public key storage unit 104, akey information generation unit 105 b, the content storage unit 106, andthe control unit 107. The control unit 107 is connected to the inputunit 108 and the display unit 109 (not illustrated).

Which is to say, the content delivery device 100 b differs from thecontent delivery device 100 in that the key information generation unit105 is replaced with the key information generation unit 105 b.

The following description focuses on the differences from the contentdelivery device 100.

(1) Key Information Generation Unit 105 b

The key information generation unit 105 b has a similar construction tothe key information generation unit 105. In detail, the key informationgeneration unit 105 b includes a key encryption unit 111 b, the countersetting unit 112, the counter increment unit 113, the counter judgmentunit 114, the output unit 115, the key control unit 116, the parameterstorage unit 117, and the counter 118 (not illustrated).

Which is to say, the key information generation unit 105 b differs fromthe key information generation unit 105 in that the key encryption unit111 is replaced with the key encryption unit 111 b. The followingdescription focuses on the differences from the key informationgeneration unit 105.

The key encryption unit 111 b generates encrypted content key EKC_(i)corresponding to the content reception device 200 b _(i), in thefollowing manner.

(a) Generate 160-bit random number k_(i).

(b) Read base point G, constant a, and prime p from the parameterstorage unit 117, and calculatePC _(i) =k _(i) *G

using random number k_(i), base point G, constant a, and prime p.

(c) Read public key KP_(i) from the public key storage unit 104, andcalculatek_(i)*KP_(i)

using random number k_(i), public key KP_(i), constant a, and prime p.

(d) Receive content key KC from the content key generation unit 102, andcalculates _(i) =KC xor x(k _(i) *KP _(i))

for k₁*KP_(i), using content key KC. Here, x(k_(i)*KP_(i)) is the xcoordinate of k_(i)*KP_(i), and xor is an operator for an exclusive-ORoperation. Also, sj is a scalar.

(e) Output x(PC_(i)) (the x coordinate of PC_(i)) and s_(i) to theoutput unit 115 as encrypted content key EKC_(i).

(2) Output Unit 115

The output unit 115 outputs encrypted content keys EKC₁, EKC₂, EKC₃, . .. , EKC_(n) to the send/receive unit 101 as encrypted content keyinformation EKC.

(3) Send/Receive Unit 101

The send/receive unit 101 receives encrypted content EC from the contentencryption unit 103, and encrypted content key information EKC from thekey information generation unit 105 b. The send/receive unit 101transmits encrypted content EC and encrypted content key information EKCto each of the content reception devices 200 b ₁, 200 b ₂, . . . , 200 b_(n) via the Internet 20.

FIG. 9 shows a data structure of transmission information 321 that istransmitted from the send/receive unit 101 to each of the contentreception devices 200 b ₁, 200 b ₂, . . . , 200 b _(n).

As illustrated, the transmission information 321 is composed ofencrypted content EC 322 and encrypted content key information EKC 323.The encrypted content key information EKC 323 is made up of n encryptedcontent keys 331, 332, . . . , 333. The ith encrypted content key, i.e.EKC_(i), is made up of x(PC_(i)) (the x coordinate of PC_(i)) and Si.

(4) Differences from the First Embodiment

The second embodiment differs from the first embodiment in that aciphertext is made up of x(PC_(i)) (the x coordinate of point PC_(i))and scalar s_(i), instead of X(PC_(i)) and point C_(i). In the secondembodiment, information about the y coordinate of PC_(i) is not includedat all (not even 1 bit) in encrypted content key information EKC, as inthe first embodiment.

2.2. Construction of the Content Reception Devices 200 b ₁, 200 b ₂, . .. , 200 b _(n)

The content reception devices 200 b ₁, 200 b ₂, . . . , 200 b _(n) havea similar construction to the content reception devices 200 ₁, 200 ₂, .. . , 200 _(n).

The construction of the content reception device 200 b _(i) is explainedbelow as a representative example of the content reception devices 200 b₁, 200 b ₂, . . . , 200 b _(n), focusing on the differences from thecontent reception device 200 _(i).

The content reception device 200 b _(i) has a similar construction tothe content reception device 200 _(i). In detail, the content receptiondevice 200 b _(i) includes the send/receive unit 201, the secret keystorage unit 202, the content decryption unit 203, a key decryption unit204 b, the playback unit 205, the control unit 206, the input unit 207,the monitor 208, the speaker 209, and the parameter storage unit 210.

Which is to say, the content reception device 200 b _(i) differs fromthe content reception device 200 _(i) in that the key decryption unit204 is replaced with the key decryption unit 204 b.

(1) Key Decryption Unit 204 b

The key decryption unit 204 b includes the square root calculation unit211, the scalar multiplication unit 212, and a content key calculationunit 213 b (not illustrated).

Which is to say, the key decryption unit 204 b differs from the keydecryption unit 204 in that the content key calculation unit 213 isreplaced with the content key calculation unit 213 b.

The square root calculation unit 211 calculates, for x(PC_(i)) includedin encrypted content key EKC_(i), square root rt ofz=x(PC _(i))³ +a×x(PC _(i))+b

on GF(p), and setsPC _(i)′=(x(PC _(i)),rt)

as explained earlier.

The scalar multiplication unit 212 calculates pointks_(i)*PC_(i)′

by multiplying PC_(i)′ by secret key ks_(i) stored in the secret keystorage unit 202, as explained earlier.

The content key calculation unit 213 b receives point ks_(i)*PC_(i)′from the scalar multiplication unit 212, and calculatess _(i) xor x(ks _(i) *PC _(i)′)

using received point ks_(i)*PC_(i)′. The content key calculation unit213 b sets the calculation result as decrypted content key KC′:KC′=s _(i) xor x(ks _(i) *PC _(i)′)2.3. Operations of the Content Delivery System 10 b

The following describes operations of the content delivery system 10 b.

The operations of the content delivery system 10 b are similar to thoseof the content delivery system 10, so that the following descriptionfocuses on the differences from the content delivery system 10.

An overall operation of the content delivery system 10 b is the same asthat shown in FIG. 5, and so its explanation has been omitted here.

An operation of generating encrypted content key information EKC by thekey information generation unit 105 b in the content delivery device 100b is the same as that shown in FIG. 6, and so its explanation has beenomitted here.

(1) Operation of Generating Encrypted Content Key EKC_(i)

FIG. 10 is a flowchart showing an operation of generating encryptedcontent key EKC_(i) by the key encryption unit 111 b in the keyinformation generation unit 105 b. This operation corresponds to stepS122 in FIG. 6.

The key encryption unit 11 b generates 160-bit random number k_(i)(S201). The key encryption unit 111 b reads base point G, constant a,and prime p from the parameter storage unit 117, and calculatesPC_(i)=k_(i)*G using random number k_(i), base point G, constant a, andprime p (S202). The key encryption unit 111 b also reads public keyKP_(i) from the public key storage unit 104, and calculates k_(i)*KP_(i)using random number k_(i), public key KP_(i), constant a, and primep(S203). The key encryption unit 111 b computes, for k_(i)*KP_(i),s_(i)=KC xor x(k_(i)*KP_(i)) using content key KC received from thecontent key generation unit 102 (S204). The key encryption unit 111 boutputs x(PC_(i)) (the x coordinate of PC_(i)) and s_(i) to the outputunit 115 as encrypted content key EKC_(i) (S205).

(2) Operation of Generating Decrypted Content Key KC′

FIG. 11 is a flowchart showing an operation of generating decryptedcontent key KC′ by the key decryption unit 204 b in the contentreception device 200 b _(i). This operation corresponds to step S105 inFIG. 5.

The square root calculation unit 211 calculates two square roots rt ofx(PC_(i))³+a×x(PC_(i))+b for x(PC_(i)) which is included in encryptedcontent key EKC_(i). The square root calculation unit 211 selects squareroot rt, out of two square roots rt, that satisfies rt<(p−1)/2. Thesquare root calculation unit 211 then generates PC_(i)′=(x(PC_(i)),rt)(S221).

Following this, the scalar multiplication unit 212 calculates pointks_(i)*PC_(i)′ by multiplying PC_(i)′ by ks_(i) (S222).

The content key calculation unit 213 b receives point ks_(i)*PC_(i)′from the scalar multiplication unit 212, and calculates s_(i) xorx(ks_(i)*PC_(i)′) using received point ks_(i)*PC_(i)′. The content keycalculation unit 213 b sets the calculation result as decrypted contentkey KC′ (S223).

Such decrypted content key KC′ is expected to be equal to content keyKC.

2.4. Reason that Decrypted Content Key KC′ is Equal to Content Key KC

Whenx(ks _(i) *PC _(i)′)=x(ks _(i) *PC _(i))=x(ks _(i) *k _(i) *G)=x(k _(i)*KP _(i))

holds true, decrypted content keyKC′=s _(i) xor x(ks _(i) *PC _(i)′)

is equal to content key KC. The reason thatx(ks_(i)*PC_(i)′)=x(k_(i)*KP_(i)) holds true is given below.

On an elliptic curve defined over GF(p), −P which is a correspondingnegative point of P=(x₁,y₁) is generally given by −P=(x₁,−y₁). Squareroot rt satisfiesrt ² =x(PC _(i))³ +a×x(PC _(i))+b

Likewise, y(PC_(i)) which is the y coordinate of point PC_(i) satisfiesy(PC _(i))² =x(PC _(i))³ +a×x(PC ₁)+b

Hencey(PC _(i))=rt

ory(PC _(i))=−rt

If y(PC_(i))=rt, then PC_(i)=PC_(i)′. Hencex(ks _(i) *PC _(i)′)=x(ks _(i) *PC _(i))

holds true.

If y(PC_(i))=−rt, on the other hand, then PC_(i)′=−PC_(i).

Therefore,ks _(i) PC _(i) ′=−ks _(i) *PC _(i)

Since x(P)=x(−P),x(ks _(i) *PC _(i)′)=x(ks _(i) *PC _(i))=x(ks _(i) *PC _(i))

holds true.

Accordingly,x(ks _(i) *PC _(i)′)=x(k _(i) *KP _(i))

is true. As a result, decrypted content key KC′ is equal to content keyKC.

2.5. Effects of the Second Embodiment

The following examines the data size of encrypted content key EKC_(i) inthe content delivery system 10 b.

For simplicity's sake, field of definition GF(p) of elliptic curve E₁ isassumed to be 160 bits long that is currently recommended in ellipticcurve cryptography.

Encrypted content key EKC_(i) corresponding to one content receptiondevice 200 b _(i) is made up of one scalar s_(i) and the x coordinate ofone point PC_(i), i.e. x(PC_(i)). Scalar s_(i) is 160 bits long.Likewise, the x coordinate of point PC_(i) is 160 bits long. Therefore,encrypted content key EKC_(i) is 160+160=320 bits (=40 bytes).

The data size of each encrypted content key according to theconventional technique is 80 bytes. Accordingly, the content deliverysystem 10 b of the second embodiment enables the data size of eachencrypted content key to be reduced by ½, when compared with that of theconventional technique.

Suppose the number n of content reception devices is 1,000,000.According to the second embodiment, the data size of encrypted contentkey information EKC is 40×1,000,000=40,000,000 bytes (=40 megabytes).According to the conventional technique, meanwhile, the data size ofencrypted content key information is 80×1,000,000=80,000,000 bytes (=80megabytes).

Thus, the content delivery system 10 b of the second embodiment enablesthe data size of encrypted content key information to be reduced by 40megabytes, when compared with that of the conventional technique.

3. Third Embodiment

The following describes a content delivery system 10 c (not illustrated)to which the third embodiment of the present invention relates.

The content delivery system 10 c has a similar construction to thecontent delivery system 10. The following description focuses on thedifferences from the content delivery system 10.

Like the content delivery system 10, the content delivery system 10 c isroughly made up of one content delivery device 100 c and n contentreception devices 200 c ₁, 200 c ₂, . . . , 200 c _(i), . . . , 200 c_(n). The content delivery device 100 c is connected to each of thecontent reception devices 200 c ₁, 200 c ₂, . . . , 200 c _(n) via theInternet 20.

3.1. Construction of the Content Delivery Device 100 c

The content delivery device 100 c has a similar construction to thecontent delivery device 100. In detail, the content delivery device 100c includes the send/receive unit 101, the content key generation unit102, the content encryption unit 103, the public key storage unit 104, akey information generation unit 105 c, the content storage unit 106, andthe control unit 107. The control unit 107 is connected to the inputunit 108 and the display unit 109 (not illustrated).

Which is to say, the content delivery device 100 c differs from thecontent delivery device 100 in that the key information generation unit105 is replaced with the key information generation unit 105 c.

The following description focuses on the differences from the contentdelivery device 100.

(1) Key Information Generation Unit 105 c

The key information generation unit 105 c has a similar construction tothe key information generation unit 105. FIG. 12 shows the constructionof the key information generation unit 105 c. As shown in the drawing,the key information generation unit 105 c includes the counter settingunit 112, the counter increment unit 113, the counter judgment unit 114,the output unit 115, the key control unit 116, the parameter storageunit 117, the counter 118, a common encryption unit 119 c, and anindividual encryption unit 120 c.

Which is to say, the key information generation unit 105 c differs fromthe key information generation unit 105 in that the key encryption unit111 is replaced with the common encryption unit 119 c and the individualencryption unit 120 c. The following description focuses on thedifferences from the key information generation unit 105.

(Counter Setting Unit 112)

The counter setting unit 112 sets counter i to 1.

(Common Encryption Unit 119 c)

The common encryption unit 119 c generates 160-bit random number k. Thecommon encryption unit 119 c also reads base point G, constant a, andprime p from the parameter storage unit 117, and calculates commonciphertextPC=k*G

using random number k, base point G, constant a, and prime p. The commonencryption unit 119 c outputs common ciphertext PC to the output unit115, and random number k to the individual encryption unit 120 c.

(Individual Encryption Unit 120 c)

The individual encryption unit 120 c generates individual ciphertexts_(i) corresponding to the content reception device 200 c _(i), in thefollowing way.

(a) Receive random number k from the common encryption unit 119 c.

(b) Read public key KP_(i) from the public key storage unit 104 andconstant a and prime p from the parameter storage unit 117, andcalculatek*KP _(i)

using random number k, public key KP_(i), constant a, and prime p.

(c) Receive content key KC from the content key generation unit 102, andcalculate individual ciphertexts _(i) KC xor x(k*KP _(i))

for k*KP_(i), using received content key KC. Here, x(k*KP_(i)) is the xcoordinate of k*KP_(i).

(d) output individual ciphertext s_(i) to the output unit 115.

(Counter Judgment Unit 114, Counter Increment Unit 113, Output Unit 115,and Key Control Unit 116)

The counter judgment unit 114 judges whether counter i is n.

The counter increment unit 113 increments counter i by 1, when thecounter judgment unit 114 judges that i≠n. Following this, the aboveprocedure is repeated.

The output unit 115 outputs common ciphertext PC and individualciphertexts s₁, s₂, s₃, . . . , s_(n) to the send/receive unit 101 asencrypted content key information EKC, when the counter judgment unit114 judges that i=n.

The key control unit 116 controls the construction elements in the keyinformation generation unit 105 c.

(2) Send/Receive Unit 101

The send/receive unit 101 receives encrypted content EC from the contentencryption unit 103, and encrypted content key information EKC from thekey information generation unit 105 c. The send/receive unit 101transmits encrypted content EC and encrypted content key information EKCto each of the content reception devices 200 c ₁, 200 c ₂, . . . , 200 c_(n) via the Internet 20.

FIG. 13 shows a data structure of transmission information 341 that istransmitted from the send/receive unit 101 to each of the contentreception devices 200 c ₁, 200 c ₂, . . . , 200 c _(n).

As illustrated, the transmission information 341 is composed ofencrypted content EC 342 and encrypted content key information EKC 343.The encrypted content key information EKC 343 is made up of commonciphertext PC 344 and n individual ciphertexts 351, 352, . . . , 353.The ith individual ciphertext, i.e. s_(i), is KC xor x(k*KP_(i)).

3.2. Construction of the Content Reception Devices 200 c ₁, 200 c ₂, . .. , 200 c _(n)

The content reception devices 200 c ₁, 200 c ₂, . . . , 200 c _(n) havea similar construction to the content reception devices 200 ₁, 200 ₂, .. . , 200 _(n).

The construction of the content reception device 200 c _(i) is explainedbelow as a representative example of the content reception devices 200 c₁, 200 c ₂, . . . , 200 c _(n), focusing on the differences from thecontent reception device 200 _(i).

The content reception device 200 c _(i) has a similar construction tothe content reception device 200 _(i). In detail, the content receptiondevice 200 c _(i) includes the send/receive unit 201, the secret keystorage unit 202, the content decryption unit 203, a key decryption unit204 c, the playback unit 205, the control unit 206, the input unit 207,the monitor 208, the speaker 209, and the parameter storage unit 210(not illustrated).

Which is to say, the content reception device 200 c _(i) differs fromthe content reception device 200 _(i) in that the key decryption unit204 is replaced with the key decryption unit 204 c.

(1) Send/Receive Unit 201

The send/receive unit 201 receives encrypted content EC and encryptedcontent key information EKC from the content delivery device 100 c viathe Internet 20, and outputs encrypted content EC to the contentdecryption unit 203 and encrypted content key information EKC to the keydecryption unit 204 c.

(2) Key Decryption Unit 204 c

FIG. 14 shows a construction of the key decryption unit 204 c. Asillustrated, the key decryption unit 204 c includes a scalarmultiplication unit 212 c and a content key calculation unit 213 c.

The scalar multiplication unit 212 c reads secret key ks_(i) from thesecret key storage unit 202. The scalar multiplication unit 212 cextracts common ciphertext PC from encrypted content key information EKCreceived from the send/receive unit 201. The scalar multiplication unit212 c also reads constant a and prime p from the parameter storage unit210, and calculates pointks _(i)*PC

by multiplying PC by ks_(i) using constant a, prime p, and secret keyks_(i). The scalar multiplication unit 212 c outputs point ks_(i)*PC tothe content key calculation unit 213 c.

The content key calculation unit 213 c stores the device ID number “i”assigned to the content reception device 200 c _(i), beforehand. Thecontent key calculation unit 213 c reads the device ID number “i”, andspecifies individual ciphertext s_(i) corresponding to the contentreception device 200 c _(i) in encrypted content key information EKCreceived from the send/receive unit 201, using the device ID number “i”.The content key calculation unit 213 c extracts s_(i) from encryptedcontent key information EKC. The content key calculation unit 213 c alsoreceives point ks_(i)*PC from the scalar multiplication unit 212 c. Thecontent key calculation unit 213 c then calculatess _(i) xor x(ks _(i*PC))

using received point ks_(i)*PC, and sets the calculation result asdecrypted content key KC′:KC′=s _(i) xor x(ks _(i*PC))

The content key calculation unit 213 c outputs decrypted content key KC′to the content decryption unit 203.

2.3. Operations of the Content Delivery System 10 c

The following describes operations of the content delivery system 10 c.

The operations of the content delivery system 10 c are similar to thoseof the content delivery system 10, so that the following descriptionfocuses on the differences from the content-delivery system 10.

An overall operation of the content delivery system 10 c is the same asthat shown in FIG. 5, and so its explanation has been omitted here.

(1) Operation of Generating Encrypted Content Key Information EKC

FIG. 15 is a flowchart showing an operation of generating encryptedcontent key information EKC by the key information generation unit 105 cin the content delivery device 100 c. This operation corresponds to stepS103 in FIG. 5.

The counter setting unit 112 sets counter i to 1 (S301).

The common encryption unit 119 c generates 160-bit random number k, andcalculates common ciphertext PC=k*G. The common encryption unit 119 coutputs common ciphertext PC to the output unit 115, and random number kto the individual encryption unit 120 c (S302).

The individual encryption unit 120 c generates individual ciphertexts_(i) corresponding to the content reception device 200 c _(i), andoutputs individual ciphertext s_(i) to the output unit 115 (S303).

The counter judgment unit 114 judges whether counter i is n (S304). Ifion, the counter increment unit 113 increments counter i by 1 (S305).The operation then returns to step S303.

If i=n, the output unit 115 outputs common ciphertext PC and individualciphertexts s₁, s₂, s₃, . . . , s_(n) to the send/receive unit 101 asencrypted content key information EKC (S306).

(2) Operation of Generating Decrypted Content Key KC′

FIG. 16 is a flowchart showing an operation of generating decryptedcontent key KC′ by the key decryption unit 204 c in the contentreception device 200 c _(i). This operation corresponds to step S105 inFIG. 5.

The scalar multiplication unit 212 c calculates point ks_(i)*PC bymultiplying common ciphertext PC by secret key ks_(i), using constant a,prime p, and secret key ks_(i). The scalar multiplication unit 212 coutputs point ks_(i)*PC to the content key calculation unit 213 c(S321).

The content key calculation unit 213 c calculates decrypted content keyKC′=s_(i) xor x(ks_(i)*PC), and outputs decrypted content key KC′ to thecontent decryption unit 203 (S322).

3.4. Effects of the Third Embodiment

The following examines the data size of encrypted content keyinformation EKC in the content delivery system 10 c.

For simplicity's sake, field of definition GF(p) of elliptic curve E₁ isassumed to be 160 bits that is currently recommended in elliptic curvecryptography.

Common ciphertext PC is a point on elliptic curve E₁. PC is made up of xand y coordinates that are each 160 bits long, and therefore is 320 bits(=40 bytes). Individual ciphertext s_(i) is 160 bits (=20 bytes).

Suppose n=1,000,000. According to the third embodiment, the data size ofencrypted content key information EKC is 40+20×1,000,000=20,000,040bytes (≈20 megabytes).

According to the conventional technique, meanwhile, the data size ofencrypted content key information is 80 megabytes. Thus, the contentdelivery system 10 c of the third embodiment enables the data size ofencrypted content key information to be reduced by ¼, when compared withthat of the conventional technique.

3.5. Conclusion on the Third Embodiment

According to this embodiment, the present invention can be realized byan information transfer system which includes an encryption device and aplurality of decryption devices and transfers information in secrecy.

The encryption device includes a storage unit, a common calculationunit, an individual calculation unit, and an output unit. The storageunit stores a plaintext. The common calculation unit generates a commonciphertext that is common to the plurality of decryption devices. Theindividual calculation unit separately generates a plurality ofindividual ciphertexts corresponding to the plurality of decryptiondevices, based on the plaintext. The output unit outputs the commonciphertext and the plurality of individual ciphertexts.

Each of the plurality of decryption devices includes an acquisitionunit, an extraction unit, and a decryption unit. The acquisition unitacquires the common ciphertext and the plurality of individualciphertexts. The extraction unit extracts an individual ciphertextcorresponding to the decryption device, from the plurality of individualciphertexts. The decryption unit generates a decrypted text using thecommon ciphertext and the extracted individual ciphertext.

The present invention can also be realized by an information transfersystem which includes an encryption device and a plurality of decryptiondevices, and transfers information in secrecy using a discrete logarithmproblem on a group as a basis for security.

Let g be a base element of the group. A public key of each of theplurality of decryption devices is calculated by applying, (ks−1) times,a group operation to the base element g, where ks is a secret key of thedecryption device.

The encryption device includes a storage unit, a random numbergeneration unit, a common calculation unit, an individual calculationunit which includes a public key calculation unit and an exclusive-ORunit, and an output unit. The storage unit stores a plaintext. Therandom number generation unit generates a random number k which is ascalar. The common calculation unit applies, (k−1) times, the groupoperation to the base element g, to generate a common ciphertextelement. The public key calculation unit applies, (k−1) times, the groupoperation to the public key of each of the plurality of decryptiondevices, to generate a plurality of group-operated public key elementscorresponding to the plurality of decryption devices. The exclusive-ORunit performs an exclusive-OR operation on the plaintext and each of theplurality of group-operated public key elements, to generate a pluralityof individual ciphertexts corresponding to the plurality of decryptiondevices. The output unit outputs the common ciphertext element and theplurality of individual ciphertexts.

Each of the plurality of decryption devices includes an acquisitionunit, an extraction unit, a secret key calculation unit, and anexclusive-OR unit. The acquisition unit acquires the common ciphertextelement and the plurality of individual ciphertexts. The extraction unitextracts an individual ciphertext corresponding to the decryption devicefrom the plurality of individual ciphertexts. The secret key calculationunit applies, (ks−1) times, the group operation to the common ciphertextelement where ks is a secret key of the decryption device. Theexclusive-OR unit performs an exclusive-OR operation on the extractedindividual ciphertext and the group-operated common ciphertext element,to generate a decrypted text.

The present invention can also be realized by an information transfersystem which includes an encryption device and a plurality of decryptiondevices, and transfers information in secrecy using an elliptic curvediscrete logarithm problem as a basis for security.

Let an elliptic curve be defined over a finite field GF(p) by anequationy ² =x ³ +a×x+b

with p being a prime and G being a base point on the elliptic curve.This being so, a public key point of each of the plurality of decryptiondevices is calculated by multiplying the base point G by a secret key ofthe decryption device, on the elliptic curve.

The encryption device includes a storage unit, a random numbergeneration unit, a common calculation unit, an individual calculationunit which includes a public key calculation unit and an exclusive-ORunit, and an output unit. The storage unit stores a plaintext. Therandom number generation unit generates a random number which is ascalar. The common calculation unit multiplies the base point G by therandom number to generate a common ciphertext point. The public keycalculation unit multiplies the public key point of each of theplurality of decryption devices by the random number, to generate aplurality of multiplied public key points corresponding to the pluralityof decryption devices. The exclusive-OR unit performs an exclusive-ORoperation on the plaintext and an x coordinate of each of the pluralityof multiplied public key points, to generate a plurality of individualciphertexts corresponding to the plurality of decryption devices. Theoutput unit outputs the common ciphertext point and the plurality ofindividual ciphertexts.

Each of the plurality of decryption devices includes an acquisitionunit, an extraction unit, a secret key calculation unit, and anexclusive-OR unit. The acquisition unit acquires the common ciphertextpoint and the plurality of individual ciphertexts. The extraction unitextracts an individual ciphertext corresponding to the decryptiondevice, from the plurality of individual ciphertexts. The secret keycalculation unit multiplies the common ciphertext point by a secret keyof the decryption device. The exclusive-OR unit performs an exclusive-ORoperation on the extracted individual ciphertext and an x coordinate ofthe multiplied common ciphertext point, to generate a decrypted text.

According to these constructions, the data size of the transferredciphertext is reduced by making part of the ciphertext common to alldecryption devices. This contributes to high practicality.

4. Conclusion on the First to Third Embodiments

As described above, the present invention can be realized by a contentdelivery system which includes a content delivery device, acommunication path, and a plurality of content reception devices, anddelivers content from the content delivery device to each of theplurality of content reception devices via the communication path.

The content delivery device includes: a transmission unit whichtransmits data to each of the plurality of content reception devices; acontent key generation unit which generates a content key; an encryptedcontent generation unit which encrypts the content using the contentkey; a public key storage unit which stores a public key of each of theplurality of content reception devices; and an encrypted content keyinformation generation unit which encrypts the content key using thepublic key to generate encrypted content key information.

Each of the plurality of content reception devices includes: a receptionunit which receives data from the content delivery device; a secret keystorage unit which stores a secret key of the content reception device;an encrypted content key decryption unit which decrypts the encryptedcontent key information to obtain the content key; and an encryptedcontent decryption unit which decrypts the encrypted content to obtainthe content.

The encrypted content key information generation unit performs ellipticcurve encryption, and generates the encrypted content key informationthat includes: an x coordinate of an elliptic curve point PC included ina ciphertext obtained by the elliptic curve encryption; and remainingparts the ciphertext other than the elliptic curve point PC. Theencrypted content key decryption unit calculates a y coordinate of theelliptic curve point PC whose x coordinate is included in the encryptedcontent key information.

Here, the elliptic curve encryption may be performed using an ellipticcurve defined byy ² =x ³ +a×x+b

where a and b are integers. In this case, the encrypted content keydecryption unit calculates the y coordinate of the elliptic curve pointPC by finding a square root of(PCx)³ +a×PCx+b

where PCx denotes the x coordinate of the elliptic curve point PC.

The present invention can also be realized by a content delivery systemwhich includes a content delivery device, a communication path, and aplurality of content reception devices, and delivers content from thecontent delivery device to each of the plurality of content receptiondevices via the communication path.

The content delivery device includes: a transmission unit whichtransmits data to each of the plurality of content reception devices; acontent key generation unit which generates a content key; an encryptedcontent generation unit which encrypts the content using the contentkey; a public key storage unit which stores a public key of each of theplurality of content reception devices; and an encrypted content keyinformation generation unit which encrypts the content key using thepublic key to generate encrypted content key information.

Each of the plurality of content reception devices includes: a receptionunit which receives data from the content delivery device; a secret keystorage unit which stores a secret key of the content reception device;an encrypted content key decryption unit which decrypts the encryptedcontent key information to obtain the content key; and an encryptedcontent decryption unit which decrypts the encrypted content to obtainthe content.

The encrypted content key information generation unit generates a commonciphertext which is common to the plurality of content reception devicesand a plurality of individual ciphertexts corresponding separately tothe plurality of content reception devices, as the encrypted content keyinformation.

Here, the encrypted content key information generation unit and theencrypted content key decryption unit may use elliptic curvecryptography.

Here, the common ciphertext and the plurality of individual ciphertextsmay each be a point on an elliptic curve. Alternatively, the commonciphertext may be a point on an elliptic curve and each of the pluralityof individual ciphertexts may be an element in a field of definition ofthe elliptic curve.

Here, the encrypted content key information generation unit and theencrypted content key decryption unit may use an ElGamal cipher.

The present invention can also be realized by a content delivery devicein a content delivery system which includes the content delivery device,a communication path, and a plurality of content reception devices, anddelivers content from the content delivery device to each of theplurality of content reception devices via the communication path.

The content delivery device includes: a transmission unit whichtransmits data to each of the plurality of content reception devices; acontent key generation unit which generates a content key; an encryptedcontent generation unit which encrypts the content using the contentkey; a public key storage unit which stores a public key of each of theplurality of content reception devices; and an encrypted content keyinformation generation unit which encrypts the content key using thepublic key to generate encrypted content key information.

The encrypted content key information generation unit performs ellipticcurve encryption, and generates the encrypted content key informationthat includes: an x coordinate of an elliptic curve point included in aciphertext obtained by the elliptic curve encryption; and remainingparts of the ciphertext other than the elliptic curve point.

The present invention can also be realized by a content reception devicein a content delivery system which includes a content delivery device, acommunication path, and a plurality of content reception devices, anddelivers content from the content delivery device to each of theplurality of content reception devices via the communication path.

The content reception device includes: a reception unit which receivesdata from the content delivery device; a secret key storage unit whichstores a secret key of the content reception device; an encryptedcontent key decryption unit which decrypts encrypted content keyinformation to obtain a content key; and an encrypted content decryptionunit which decrypts encrypted content to obtain the content.

The encrypted content key decryption unit calculates a y coordinate ofan elliptic curve point whose x coordinate is included in the encryptedcontent key information.

The present invention can also be realized by a content delivery devicein a content delivery system which includes the content delivery device,a communication path, and a plurality of content reception devices, anddelivers content from the content delivery device to each of theplurality of content reception devices via the communication path.

The content delivery device includes: a transmission unit whichtransmits data to each of the plurality of content reception devices; acontent key generation unit which generates a content key; an encryptedcontent generation unit which encrypts the content using the contentkey; a public key storage unit which stores a public key of each of theplurality of content reception devices; and an encrypted content keyinformation generation unit which encrypts the content key using thepublic key to generate encrypted content key information.

The encrypted content key information generation unit generates a commonciphertext that is common to the plurality of content reception devicesand a plurality of individual ciphertexts corresponding separately tothe plurality of content reception devices, as the encrypted content keyinformation.

The present invention can also be realized by a content reception devicein a content delivery system which includes a content delivery device, acommunication path, and a plurality of content reception devices, anddelivers content from the content delivery device to each of theplurality of content reception devices via the communication path.

The content reception device includes: a reception unit which receivesdata from the content delivery device; a secret key storage unit whichstores a secret key of the content reception device; an encryptedcontent key decryption unit which decrypts encrypted content keyinformation to obtain a content key; and an encrypted content decryptionunit which decrypts encrypted content to obtain the content.

The encrypted content key decryption unit obtains the content key from acommon ciphertext and an individual ciphertext included in the encryptedcontent key information. Here, the common ciphertext is common to theplurality of content reception devices, whereas the individualciphertext corresponds to the content reception device.

According to these constructions, the data size of encrypted content keyinformation can be reduced by omitting a y coordinate of an ellipticcurve point included in a ciphertext or by making part of the ciphertextcommon to the plurality of content reception devices. This contributesto high practicality.

5. Modifications

The present invention has been described by way of the above first tothird embodiments, though it should be obvious that the presentinvention is not limited to the above. Example modifications are givenbelow.

(1) The first embodiment describes the case where encrypted content keyEKC_(i) generated by the key encryption unit 111 in the key informationgeneration unit 105 in the content delivery device 100 is made up ofx(PC_(i)) (the x coordinate of point PC_(i)) and point C_(i). As analternative, encrypted content key EKC may be made up of point PC_(i)and x(C_(i)) (the x coordinate of point C_(i)).

In this case, the key encryption unit 111 generates encrypted contentkey EKC_(i) in the following manner.

(a) Generate 160-bit random number k_(i).

(b) Read base point G, constant a, and prime p from the parameterstorage unit 117, and calculatek_(i)*G

using random number k_(i), base point G, constant a, and prime p.Elliptic curve point multiplication is as described earlier.

(c) Read public key KP_(i) from the public key storage unit 104, andcalculatek_(i)*KP_(i)

using random number k_(i), public key KP_(i), constant a, and prime p.

(d) Receive content key KC from the content key generation unit 102, andconvert content key KC to point P_KC=f(KC) on elliptic curve E₁ usingconversion function f described earlier.

(e) CalculateC _(i) =P _(—) KC+k _(i) *KP _(j)

(f) Judge whether y(C_(i)) (the y coordinate of point C_(i)) satisfiesy(C _(i))<(p−1)/2

If y(C_(i))<(p−1)/2, set PC_(i)=k_(i)*G. If y(C_(i))≧(p−1)/2,setPC_(i)=−k_(i)*G.

(g) Output x(C_(i)) (the x coordinate of point C_(i)) and point PC_(i)to the output unit 115 as encrypted content key EKC_(i).

In the content reception device 200 _(i), the square root calculationunit 211 in the key decryption unit 204 calculates two square roots rtofx(C _(i))³ +a×x(C _(i))+b

for x(C_(i)) which is included in encrypted content key EKC_(i). Thesquare root calculation unit 211 selects square root rt, out of twosquare roots rt, that satisfies rt<(p−1)/2. The square root calculationunit 211 then generates C_(i)′=(x(C_(i)),rt).

Following this, the scalar multiplication unit 212 calculates pointks_(i)*PC_(i)

by multiplying PC_(i) by ks_(i).

After this, the content key calculation unit 213 calculatesP_KC′=C_(i) ′−ks _(i) *PC _(i)

The content key calculation unit 213 then converts P_KC′ to an integerto thereby generate decrypted content key KC′=f⁻¹(P_KC′).

Such decrypted content key KC′ is expected to be equal to content keyKC.

(2) The third embodiment describes the case where the individualencryption unit 120 c generates individual ciphertext s_(i)=KC xorx(k*KP_(i)) which is a scalar. Instead, the individual encryption unit120 c may generate individual ciphertext C_(i) which is a point onelliptic curve E₁, as in the first embodiment.

(3) The first to third embodiments describe the case where ellipticcurve E₁ defined over GF(p) is used, but elliptic curve E₂ defined overGF(p^(m)), e.g. GF(2^(m)), may instead be used.

Let elliptic curve E₂ be defined by an equation of the formy ² +xy=x ³ +a×x ² +b

Also, a corresponding negative point of point P(x,y) on elliptic curveE₂ is denoted by −P(x,x+y), and a generator polynomial of GF(2^(m)) isdenoted by f(x) whose root is α.

This being the case, the key information generation unit 105 in thecontent delivery device 100 generates encrypted content key informationEKC in the following way, as one example.

The key encryption unit 111 generates encrypted content key EKC_(i) asfollows.

(a) Generate 160-bit random number k_(i).

(b) Read base point G, constant a, and prime p from the parameterstorage unit 117, and calculatePC _(i) =k _(i) *G

using random number k_(i), base point G, constant a, and prime p.

(c) Read public key KP_(i) from the public key storage unit 104, andcalculatek_(i)*KP_(i)

using random number k_(i), public key KP_(i), constant a, and prime p.

(d) Receive content key KC from the content key generation unit 102, andconvert content key KC to point P_KC=f(KC) on elliptic curve E₂ usingconversion function f.

(e) Calculate P_KC+k_(i)*KP_(i).

(f) Find s which is the lowest degree of α among terms whosecoefficients are not 0 but 1, in a polynomial of x(PC_(i)) (the xcoordinate of PC_(i)) by α.

For example, when x(PC_(i))=α⁵+α⁵=α³, s=3 because term α³ has a nonzerocoefficient and a lowest degree.

(g) If a coefficient of term α^(s) in a polynomial of y(PC_(i)) (the ycoordinate of PC_(i)) by α is equal to the coefficient of term α^(s) inthe polynomial of x(PC_(i)) by α, setC _(i) =P _(—) KC+k _(i) *KP _(i)

If, on the other hand, the coefficient of term α^(s) in the polynomialof y(PC_(i)) by α is not equal to the coefficient of term α^(s) in thepolynomial of x(PC_(i)) by α, setC _(i)=−(P _(—) KC+k _(i) *KP _(i))

(h) Output x(PC_(i)) (the x coordinate of point PC_(i)) and point C_(i)to the output unit 115 as encrypted content key EKC_(i).

The output unit 115 outputs encrypted content keys EKC₁, EKC₂, EKC₃, . .. , EKC_(n) to the send/receive unit 101 as encrypted content keyinformation EKC.

The send/receive unit 101 transmits encrypted content EC and encryptedcontent key information EKC to each of the content reception devices 200₁, 200 ₂, . . . , 200 _(n) via the Internet 20.

The content reception device 200 _(i) receives encrypted content EC andencrypted content key information EKC from the content delivery device100 via the internet 20.

In the content reception device 200 _(i), the key decryption unit 204stores the device ID number “i” assigned to the content reception device200 _(i), beforehand.

The key decryption unit 204 receives encrypted content key informationEKC from the send/receive unit 201, and reads the device ID number “i”.The key decryption unit 204 specifies encrypted content key EKC_(i)corresponding to the content reception device 200 _(i) in encryptedcontent key information EKC using the device ID number “i”, as describedearlier. The key decryption unit 204 extracts encrypted content keyEKC_(i) from encrypted content key information EKC, and further extractsx(PC_(i)) (the x coordinate of point PC_(i)) and point C_(i) fromencrypted content key EKC_(i).

The key decryption unit 204 finds lowest degree s of α among terms whosecoefficients are not 0 but 1, in the polynomial of x(PC_(i)) by α. Thekey decryption unit 204 then computesy ² +x(PC _(i))y=x(PC _(i))³ +a×x(PC _(i))² +b

to obtain two solutions y_(i′-1) and y_(i′-2). The key decryption unit204 selects one solution, out of two solutions y_(i′-1) and y_(i′-2),whose polynomial by a contains term α^(s) having an equal coefficient toterm α^(s) in the polynomial of x(PC_(i)) by α. Hence solutiony(PC_(i))′ is selected.

Following this, the key decryption unit 204 setsPC _(i)′=(x(PC _(i)),y(PC _(i))′)

using selected y(PC_(i))′ and extracted x(PC_(i)). The key decryptionunit 204 then calculatesP _(—) KC′=C _(i) −ks _(i) *PC _(i)′

and converts P_KC′ to an integer to thereby generate decrypted contentkey KC′=f⁻¹(P_KC′).

The content decryption unit 203 decrypts encrypted content EC using suchdecrypted content key KC′, to generate decrypted content C′.

The above modification can further be modified as follows.

The above modification describes the case where s is the lowest degreeof α among terms whose coefficients are not 0 but 1. Alternatively, smay be the highest degree of α among terms whose coefficients are not 0but 1.

Also, the above modification describes an example of selecting one oftwo solutions y_(i′-1) and y_(i′-2) whose polynomial by α contains termα^(s) having an equal coefficient to term α^(s) in the polynomial ofx(PC_(i)) by α. Alternatively, one of two solutions y_(i′-1) andy_(i′-2) whose polynomial by α contains term α^(s) having an unequalcoefficient to term α^(s) in the polynomial of x(PC_(i)) by α may beselected.

(4) The third embodiment describes the case where ElGamal on an ellipticcurve is used, but ElGamal on a finite field may instead be used.

One example of the use of finite field ElGamal is given below.

Let p be a prime, g be a base element on finite field GF(p) (gεGP(p)),and q be an order of base element g (where g^(q)=1 mod p).

Also, ks_(i) denotes a secret key of the content reception device 200 c_(i), and kp_(i) denotes a public key of the content reception device200 c _(i) (kp_(i)=g^(ksi) mod p).

Here, a^(b) denotes exponentiation where a is raised to the power of b.

The content reception device 200 c _(i) stores secret key ks_(i), primep, base element g, and order q of base element g. The content deliverydevice 100 c stores public keys kp₁, kp₂, . . . , kp_(n), prime p, baseelement g, and order q of base element g.

In the content delivery device 100 c, the common encryption unit 119 cgenerates 160-bit random number k. The common encryption unit 119 c alsoreads base element g and prime p, and calculates common ciphertextpc=g ^(k) mod p

using random number k, base element g, and prime p. The commonencryption unit 119 c outputs common ciphertext pc to the output unit115, and random number k to the individual encryption unit 120 c.

The individual encryption unit 120 c generates individual ciphertextC_(i) corresponding to the content reception device 200 c _(i), asfollows.

(a) Receive random number k from the common encryption unit 119 c.

(b) Read public key KP_(i) and prime p, and calculatekp_(i) ^(k) mod p

using random number k, public key kp_(i), and prime p.

(c) Receive content key KC from the content key generation unit 102, andcalculate individual ciphertextc _(i) =KC xor(kp _(i) ^(k) mod p)

using received content key KC.

In this way, individual ciphertexts c_(i), c₂, . . . , c_(n)corresponding to the content reception devices 200 c ₁, 200 c ₂, . . . ,200 c _(n) are generated.

The transmission unit 101 transmits encrypted content key informationEKC that is made up of common ciphertext pc and individual ciphertextsc_(i), C₂, . . . , c_(n), to each of the content reception devices 200 c₁, 200 c ₂, . . . , 200 c _(n) via the Internet 20.

The content reception device 200 c _(i) receives encrypted content keyinformation EKC that is made up of common ciphertext pc and individualciphertexts c_(i), c₂, . . . , c_(n), from the content delivery device100 c.

In the content reception device 200 c _(i), the key decryption unit 204c includes the scalar multiplication unit 212 c and the content keycalculation unit 213 c, as shown in FIG. 14.

The scalar multiplication unit 212 c reads secret key ks_(i) and primep. The scalar multiplication unit 212 c also extracts common ciphertextpc from encrypted content key information EKC received from thesend/receive unit 201. The scalar multiplication unit 212 c calculatespc^(ksi) mod p

using prime p and secret key ks_(i). The scalar multiplication unit 212c outputs pc^(ksi) mod p to the content key calculation unit 213 c.

The content key calculation unit 213 c stores the device ID number “i”assigned to the content reception device 200 c _(i), beforehand. Thecontent key calculation unit 213 c reads the device ID number “i”. Thecontent key calculation unit 213 c specifies individual ciphertext c_(i)corresponding to the content reception device 200 c _(i) in encryptedcontent key information EKC received from the send/receive unit 201,using the device ID number “i”. The content key calculation unit 213 cextracts c_(i) from encrypted content key information EKC. The contentkey calculation unit 213 c also receives pc^(ksi) mod p from the scalarmultiplication unit 212 c, and calculatesc_(i) xor (pc^(ksi) mod p)

using received pc^(ksi) mod p. The content key calculation unit 213 csets the calculation result as decrypted content key KC′:KC′=c _(i) xor(pc ^(ksi) mod p)

The content key calculation unit 213 c outputs decrypted content key KC′to the content decryption unit 203.

According to this modification, the present invention can be realized byan information transfer system which includes an encryption device and aplurality of decryption devices, and transfers information in secrecyusing a finite field discrete logarithm problem as a basis for security.

Let p be a prime, g be a base element on a finite field GF(p) (gεGF(p)),and g be an order of the base element g (where g^(q)=1 mod p).

This being so, a public key kp of each of the plurality of decryptiondevices is calculated bykp=g ^(ks) mod p

using a secret key ks of the decryption device.

The encryption device includes a storage unit, a random numbergeneration unit, a common calculation unit, an individual calculationunit which includes a public key calculation unit and an exclusive-ORunit, and an output unit. The storage unit stores a plaintext. Therandom number generation unit generates a random number k. The commoncalculation unit generates a common ciphertext element pcpc=g ^(k) mod p

using the base element g and the random number k. The public keycalculation unit calculates an exponentiated public key elementkp^(k) mod p

using the public key kp of each of the plurality of decryption devicesand the random number k. The exclusive-OR unit performs an exclusive-ORoperation on the plaintext and the exponentiated public key elementcalculated for each of the plurality of decryption devices, to obtain aplurality of individual ciphertexts corresponding to the plurality ofdecryption devices. The output unit outputs the common ciphertextelement pC and the plurality of individual ciphertexts.

Each of the plurality of decryption devices includes an acquisitionunit, an extraction unit, a secret key calculation unit, and anexclusive-OR unit. The acquisition unit acquires the common ciphertextelement pc and the plurality of individual ciphertexts. The extractionunit extracts an individual ciphertext corresponding to the decryptiondevice, from the plurality of individual ciphertexts. The secret keycalculation unit calculates an exponentiated common ciphertext elementpc^(ks) mod p

using the common ciphertext element pc and the secret key ks of thedecryption device. The exclusive-OR unit performs an exclusive-ORoperation on the extracted individual ciphertext and the exponentiatedcommon ciphertext element, to generate a decrypted text.

(5) The first to third embodiments may be freely combined.

(6) The first to third embodiments describe the case where one pair ofsecret key and public key is assigned to each content reception device,but the present invention is not limited to such.

For example, content may be grouped according to type, such as author,producer, or genre, so that one pair of secret key and public key isassigned to each group.

Also, one pair of secret key and public key may be assigned to eachindividual user.

Further, one pair of secret key and public key may be assigned to eachgroup of users.

(7) The first to third embodiments describe the case where the contentdelivery device distributes encrypted content and encrypted content keyinformation via the Internet, but the content delivery device maydistribute a storage medium, such as a DVD or a memory card, on whichthe encrypted content and the encrypted content key information arestored. In this case, each content reception device reads the encryptedcontent and the encrypted content key information from the storagemedium and decrypts the encrypted content.

As an alternative, the content delivery device may broadcast theencrypted content and the encrypted content key information by digitalbroadcasting. In this case, each content reception device receives abroadcast wave carrying the encrypted content and the encrypted contentkey information, extracts the encrypted content and the encryptedcontent key information from the broadcast wave, and decrypts theencrypted content.

(8) The first to third embodiments and modifications describe the casewhere elliptic curve ElGamal or finite field ElGamal is used to encrypta content key, but the present invention is not limited to this.Elliptic curve ElGamal or finite field ElGamal may equally be used toencrypt content.

(9) The first to third embodiments describe an example of encryptingcontent, but this is not a limit for the present invention.

The present invention can be applied to any kind of secret communicationfor securely communicating information without the communicated contentbeing revealed to third parties. For instance, the present invention isapplicable to an e-mail transmission/reception system, a secretcommunication system for business transaction, a patent applicationfiling system, and a payment system in a financial institution.

(10) The present invention also applies to the method described above.This method may be realized by a computer-readable program that isexecuted by a computer. Such a computer-readable program may bedistributed as a digital signal.

The present invention may be realized by a computer-readable storagemedium, such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, aDVD-ROM, a DVD-RAM, a BD (Blu-ray Disc), or a semiconductor memory, onwhich the above computer-readable program or digital signal is recorded.Conversely, the present invention may also be realized by thecomputer-readable program or digital signal that is recorded on such astorage medium.

The computer-readable program or digital signal that achieves thepresent invention may also be transmitted via a network, such as anelectronic communications network, a wired or wireless communicationsnetwork, or the Internet, or via data broadcasting.

The present invention can also be realized by a computer system thatincludes a microprocessor and a memory. In this case, thecomputer-readable program can be stored in the memory, with themicroprocessor operating in accordance with this computer-readableprogram.

The computer-readable program or digital signal may be provided to anindependent computer system by distributing a storage medium on whichthe computer-readable program or digital signal is recorded, or bytransmitting the computer-readable program or digital signal via anetwork. The independent computer system may then execute thecomputer-readable program or digital signal to function as the presentinvention.

(11) The first to third embodiments and modifications may be freelycombined.

As described above, the present invention can reduce the data size ofencrypted content key information, by omitting the y coordinate of anelliptic curve point in a ciphertext from each encrypted content key orby making part of the ciphertext common to all content receptiondevices.

INDUSTRIAL APPLICABILITY

The devices of the present invention can be used recurrently andcontinuously in any industry that handles information securely andreliably without the information being revealed to third parties. Also,the devices of the present invention can be manufactured and soldrecurrently and continuously in a manufacturing industry of electricalproducts.

1. An information transfer system for transferring information insecrecy using an elliptic curve discrete logarithm problem as a basisfor security, the information transfer system including an encryptiondevice and a decryption device, the encryption device comprising: astorage unit storing a plaintext; an encryption unit operable to performelliptic curve encryption on the plaintext, and generate a ciphertextthat includes an x coordinate of an encryption point on an ellipticcurve, the encryption point being generated by the elliptic curveencryption; and an output unit operable to output the ciphertext, andthe decryption device comprising: an acquisition unit operable toacquire the ciphertext; and a decryption unit operable to calculate a ycoordinate of the encryption point on the elliptic curve using the xcoordinate included in the acquired ciphertext, and perform ellipticcurve decryption using the encryption point and other informationincluded in the acquired ciphertext to generate a decrypted text.
 2. Anencryption device for encrypting a plaintext using an elliptic curvediscrete logarithm problem as a basis for security, comprising: astorage unit storing the plaintext; an encryption unit operable toperform elliptic curve encryption on the plaintext, and generate aciphertext that includes an x coordinate of an encryption point on anelliptic curve, the encryption point being generated by the ellipticcurve encryption; and an output unit operable to output the ciphertext.3. The encryption device of claim 2, wherein: the plaintext stored inthe storage unit is a scalar; and the encryption unit includes: a randomnumber generation unit operable to generate a random number which is ascalar; a first calculation unit operable to multiply a base point onthe elliptic curve by the random number; a second calculation unitoperable to multiply a public key point on the elliptic curve by therandom number; a conversion unit operable to apply a conversion functionfor converting a scalar to a corresponding point on the elliptic curve,to the plaintext to generate a plaintext point on the elliptic curve; athird calculation unit operable to calculate a sum point, using additionof the plaintext point and the multiplied public key point; and ageneration unit operable to generate the ciphertext that includes thesum point and an x coordinate of the multiplied base point which is theencryption point.
 4. The encryption device of claim 3, wherein: thethird calculation unit judges whether a predetermined condition issatisfied, and sets, as the sum point, a sum of the plaintext point andthe multiplied public key point if the judgment is affirmative, and acorresponding negative point of the sum of the plaintext point and themultiplied public key point if the judgment is negative.
 5. Theencryption device of claim 4, wherein: the elliptic curve is definedover a finite field GF(p) by an equationy ² =x ³ +a×x+b where p is a prime; and the third calculation unitjudges, as the predetermined condition, whether a y coordinate of themultiplied base point is smaller than (p−1)/2.
 6. The encryption deviceof claim 4, wherein: the elliptic curve is defined over a finite fieldGF(2^(m)) by an equationy ² +xy=x ³ +ax ² +b where m is a natural number, with a generatorpolynomial in GF(2^(m)) being denoted by f(x) whose root is α; and thethird calculation unit judges, as the predetermined condition, whether acoefficient of a term α^(s) in the generator polynomial of a ycoordinate of the multiplied base point by α is equal to a coefficientof a term α^(s) in the generator polynomial of the x coordinate of themultiplied base point by α, where s denotes a lowest degree among termswith nonzero coefficients in the generator polynomial of the xcoordinate of the multiplied base point by α.
 7. The encryption deviceof claim 2, wherein: the elliptic curve is defined over a finite fieldGF(p) by an equationy ² =x ³ +a×x+b where p is a prime; the plaintext stored in the storageunit is a scalar; and the encryption unit includes: a random numbergeneration unit operable to generate a random number which is a scalar;a second calculation unit operable to multiply a public key point on theelliptic curve by the random number; a conversion unit operable to applya conversion function for converting a scalar to a corresponding pointon the elliptic curve, to the plaintext to generate a plaintext point onthe elliptic curve; a third calculation unit operable to add theplaintext point and the multiplied public key point to obtain a sumpoint; a first calculation unit operable to judge whether a y coordinateof the sum point is smaller than (p−1)/2, and multiply a base point onthe elliptic curve by the random number if the judgment is affirmative,and multiply the base point on the elliptic curve by a correspondingnegative number of the random number if the judgment is negative; and ageneration unit operable to generate the ciphertext that includes themultiplied base point and an x coordinate of the sum point which is theencryption point.
 8. The encryption device of claim 2, wherein: theelliptic curve is defined over a finite field GF(p) by an equationy ² =x ³ +a×x+b where p is a prime; the plaintext stored in the storageunit is a scalar; and the encryption unit includes: a random numbergeneration unit operable to generate a random number which is a scalar;a first calculation unit operable to multiply a base point on theelliptic curve by the random number; a second calculation unit operableto multiply a public key point on the elliptic curve by the randomnumber; a third calculation unit operable to perform an exclusive-ORoperation on the plaintext and an x coordinate of the multiplied publickey point; and a generation unit operable to generate the ciphertextthat includes an exclusive-OR value obtained as a result of theexclusive-OR operation and an x coordinate of the multiplied base pointwhich is the encryption point.
 9. The encryption device of claim 2,wherein: the plaintext stored in the storage unit is a content key; theencryption unit generates the ciphertext by encrypting the content key;and the encryption device further comprises: a content encryption unitoperable to encrypt content using the content key; and a content outputunit operable to output the encrypted content.
 10. A decryption devicefor decrypting a ciphertext using an elliptic curve discrete logarithmproblem as a basis for security, comprising: an acquisition unitoperable to acquire the ciphertext which includes an x coordinate of anencryption point on an elliptic curve, the encryption point having beengenerated by performing elliptic curve encryption on a plaintext; and adecryption unit operable to calculate a y coordinate of the encryptionpoint on the elliptic curve using the x coordinate included in theacquired ciphertext, and perform elliptic curve decryption using theencryption point and other information included in the acquiredciphertext to generate a decrypted text.
 11. The decryption device ofclaim 10, wherein: the elliptic curve is defined over a finite fieldGF(p) by an equationy ² =x ³ +a×x+b where p is a prime; the acquisition unit acquires theciphertext from the encryption device of claim 5; and the decryptionunit includes: a square root calculation unit operable to substitute thex coordinate included in the acquired ciphertext into the equationy^(2=x) ³+a×x+b to find two solutions y, select one of the two solutionsy that is smaller than (p−1)/2, and generate a first decryption pointwhich is made up of the x coordinate included in the acquired ciphertextand the selected solution y as a y coordinate; a scalar multiplicationunit operable to multiply the first decryption point by a secret keywhich is a scalar to generate a second decryption point, the public keypoint having been generated by multiplying the base point on theelliptic curve by the secret key; and a decrypted text calculation unitoperable to subtract the second decryption point from the sum pointincluded in the acquired ciphertext, and apply an inverse conversionfunction for converting a point on the elliptic curve to a correspondingscalar, to a point obtained as a result of the subtraction to generatethe decrypted text.
 12. The decryption device of claim 10, wherein: theelliptic curve is defined over a finite field GF(2^(m)) by an equationy ² +xy=x ³ +ax ² +b where m is a natural number, with a generatorpolynomial in GF(2^(m)) being denoted by f(x) whose root is α; theacquisition unit acquires the ciphertext from the encryption device ofclaim 6; and the decryption unit includes: a detection unit operable todetect s which is a lowest degree among terms with nonzero coefficientsin the generator polynomial of the x coordinate included in the acquiredciphertext by α; a solution unit operable to substitute the x coordinateincluded in the acquired ciphertext into the equation y²+xy=x³+ax²+b tofind two solutions y, select, out of the two solutions y, a solution ywhose generator polynomial by α includes a term α^(s) that has an equalcoefficient to a term α^(s) in the generator polynomial of the xcoordinate included in the acquired ciphertext by α, and generate afirst decryption point which is made up of the x coordinate included inthe acquired ciphertext and the selected solution y as a y coordinate; ascalar multiplication unit operable to multiply the first decryptionpoint by a secret key which is a scalar to generate a second decryptionpoint, the public key point having been generated by multiplying thebase point on the elliptic curve by the secret key; and a decrypted textcalculation unit operable to subtract the second decryption point fromthe sum point included in the acquired ciphertext, and apply an inverseconversion function for converting a point on the elliptic curve to acorresponding scalar, to a point obtained as a result of the subtractionto generate the decrypted text.
 13. The decryption device of claim 10,wherein: the elliptic curve is defined over a finite field GF(p) by anequationy ² =x ³ +a×x+b where p is a prime; the acquisition unit acquires theciphertext from the encryption device of claim 7; and the decryptionunit includes: a square root calculation unit operable to substitute thex coordinate included in the acquired ciphertext into the equationy²=x³+a×x+b to find two solutions y, select one of the two solutions ythat is smaller than (p−1)/2, and generate a first decryption pointwhich is made up of the x coordinate included in the acquired ciphertextand the selected solution y as a y coordinate; a scalar multiplicationunit operable to multiply the multiplied base point included in theacquired ciphertext by a secret key which is a scalar to generate asecond decryption point, the public key point having been generated bymultiplying the base point on the elliptic curve by the secret key; anda decrypted text calculation unit operable to subtract the seconddecryption point from the first decryption point, and apply an inverseconversion function for converting a point on the elliptic curve to acorresponding scalar, to a point obtained as a result of the subtractionto generate the decrypted text.
 14. The decryption device of claim 10,wherein: the elliptic curve is defined over a finite field GF(p) by anequationy ² =x ³ +a×x+b where p is a prime; the acquisition unit acquires theciphertext from the encryption device of claim 8; and the decryptionunit includes: a square root calculation unit operable to substitute thex coordinate included in the acquired ciphertext into the equationy^(2=x) ³+a×x+b to find two solutions y, select one of the two solutionsy that is smaller than (p−1)/2, and generate a first decryption pointwhich is made up of the x coordinate included in the acquired ciphertextand the selected solution y as a y coordinate; a scalar multiplicationunit operable to multiply the first decryption point by a secret keywhich is a scalar to generate a second decryption point, the public keypoint having been generated by multiplying the base point on theelliptic curve by the secret key; and a decrypted text calculation unitoperable to perform an exclusive-OR operation on the exclusive-OR valueincluded in the acquired ciphertext and an x coordinate of the seconddecryption point, to generate the decrypted text.
 15. The decryptiondevice of claim 10, wherein: the acquisition unit acquires theciphertext and the encrypted content from the encryption device of claim9; the decryption unit decrypts the ciphertext to generate the decryptedtext which is a decrypted content key; and the decryption device furthercomprises: a content decryption unit operable to decrypt the encryptedcontent using the decrypted content key to generate decrypted content;and content playback unit operable to play back the decrypted content.16. An encryption method used in an encryption device for encrypting aplaintext using an elliptic curve discrete logarithm problem as a basisfor security, comprising: an encryption step of performing ellipticcurve encryption on the plaintext, and generating a ciphertext thatincludes an x coordinate of an encryption point on an elliptic curve,the encryption point being generated by the elliptic curve encryption;and an output step of outputting the ciphertext.
 17. A computer-readableprogram for use in an encryption device for encrypting a plaintext usingan elliptic curve discrete logarithm problem as a basis for security,the program comprising codes for executing: an encryption step ofperforming elliptic curve encryption on the plaintext, and generating aciphertext that includes an x coordinate of an encryption point on anelliptic curve, the encryption point being generated by the ellipticcurve encryption; and an output step of outputting the ciphertext. 18.The program of claim 17, recorded on a computer-readable storage medium.19. A decryption method used in a decryption device for decrypting aciphertext using an elliptic curve discrete logarithm problem as a basisfor security, comprising: an acquisition step of acquiring theciphertext which includes an x coordinate of an encryption point on anelliptic curve, the encryption point having been generated by performingelliptic curve encryption on a plaintext; and a decryption step ofcalculating a y coordinate of the encryption point on the elliptic curveusing the x coordinate included in the acquired ciphertext, andperforming elliptic curve decryption using the encryption point andother information included in the acquired ciphertext to generate adecrypted text.
 20. A computer-readable program for use in a decryptiondevice for decrypting a ciphertext using an elliptic curve discretelogarithm problem as a basis for security, the program comprising codesfor executing: an acquisition step of acquiring the ciphertext whichincludes an x coordinate of an encryption point on an elliptic curve,the encryption point having been generated by performing elliptic curveencryption on a plaintext; and a decryption step of calculating a ycoordinate of the encryption point on the elliptic curve using the xcoordinate included in the acquired ciphertext, and performing ellipticcurve decryption using the encryption point and other informationincluded in the acquired ciphertext to generate a decrypted text. 21.The program of claim 20, recorded on a computer-readable storage medium.